eBooks & Reports

InsideADockerCrypto_Whitepaper_Final

Issue link: https://resources.threatstack.com/i/1054718

Contents of this Issue

Navigation

Page 1 of 1

In this case, the executable ran out of the /tmp directory. This behavior will trigger an alert by default in Threat Stack, looking for any process ac vity by default out of /tmp. Malware has a tendency to run out of this directory because, in tradi onal Linux setups, it's common to give all users permissions to download and execute files out of /tmp. Depending on the use case, however, customers running Docker in produc on may want ensure they lock down / tmp. Execute the cryptomining app, ./cnrig The process a empted to make three connec ons: two a empts back out to the a acker's cryptomining pool, and one out to a possible CDN. The connec on a empts did not repeat, leading SOC analysts to conclude that a empts were unsuccessful due to protec ons elsewhere in the networking layer, such as packet filtering and firewalls. Customers typically have network defenses in place outside of Threat Stack to block this type of ac vity. But without the context of processes running in the container, and user behavior within the opera ng system that was captured while a acks were in mo on, it would have taken hours, or even days, to explore logs, correlate behaviors, and pinpoint root cause. A er the research described in these steps established what was happening, the SOC team alerted customers. Knowing which containers accept inbound HTTP requests Containers aren't a replacement for a DMZ or jump-hosts. The same way you shouldn't directly expose your applica on layer to the web, container networking should be securely architected to reduce a ack surface. Knowing when containers launch interac ve shells The CIS guidelines for Docker state that an "SSH server should not be running within the container," and this rule is included out-of-the-box with Threat Stack. Instead, if necessary, operators should SSH into the host server, and then jump from the host to the Docker container. In a purely microservices environment, however, this ac vity is less common, and the ssh daemon may even be disabled altogether. Not se ng ulimit Docker allows operators to set hard and so limits on host resource consump on by containers at run me using the Linux ulimit command. Se ng it prevents a ackers from execu ng a denial of resources a ack, where containers are created un l they exhaust all memory and CPU on a host server, grinding the machine to a halt. Le ng Docker write to the local filesystem on the host It's a best prac ce to expressly define a volume for containers, and make sure that the underlying filesystem on the host is not writeable from the container. Depending on the use case, if a container's root filesystem is not mounted as read- only, it's an excellent candidate for aler ng in Threat Stack. Other Security Considerations Beyond input valida on and other steps to prevent remote code injec on, here are some addi onal fundamentals to consider when approaching container security: S T E P 5 S T E P 6 CNRig attempts outbound network connections THREAT STACK ALERT This alert immediately caught the a en on of our SOC team, causing analysts to dig deeper into customers' environments and retrace the preceding steps. A er verifying the severity of these alerts, Threat Stack SOC analysts no fied customers. The Threat Stack Cloud Security Pla orm ® monitors cloud, mul - cloud, hybrid and containerized infrastructure for intrusions, anomalies, vulnerabili es, trends, and misconfigura ons across the host and infrastructure control plane. Request a demo today or visit us at visit us at threatstack.com. 55 Summer Street, Boston, MA 02110 1+ 617.337.4270 threatstack.com Threat Stack enables businesses of all sizes to securely leverage the benefits of cloud compu ng by iden fying and verifying insider threats, external a acks, and data loss in real me. Purpose built for today's infrastructure, Threat Stack's comprehensive intrusion detec on pla orm combines con nuous security monitoring and risk assessment to help companies gain an unparalleled level of visibility at the speed and scale of today's business. Located in Boston, Massachuse s, Threat Stack works with nearly 400 security-minded customers. For more informa on or to start a free trial, visit threatstack.com. COPYRIGHT ©2018 THREAT STACK, INC. TS-CASE-ANATOMYCYBERATTACK-2018 Move Laterally Across Hosts The actor proceeds to move laterally from this ini al rogue EC2 instance, scanning and exploi ng as they compromise other hosts in the network. EC2 instances are granted IAM permissions when they launch, giving them legi mate access to managed services like S3 or RDS. So a er each new host was compromised on the network, the actor would check its permissions. S T E P 3 THREAT STACK ALERT This ac vity would trigger Threat Stack Host Level Alerts, such as unexpected process execu on, network ac vity, suspicious commands, so ware execu ng out of /tmp, kernel modules being installed, and more. Land on Host With Sufficient Permissions and Extract Data From RDS Once on a host with the needed IAM permissions, the actor performs the necessary RDS API calls to access the database with the target data. The actor only steals a small amount of data and is therefore able to exfiltrate it either directly through the terminal or through their chain of compromised hosts, and thus is able to avoid any Data Loss Preven on tools. Attackers aren't always persisting to dive deeper into the host. One reason why the type of lateral movement in this a ack is o en harder to detect is that most host level security monitoring techniques assume the actor will want to persist deeper into the host and escalate privileges on it, crea ng strong controls for these types of behavior on top of decades of Linux/Unix experience. Instead, however, the actors were a emp ng to move off the host layer and back into the infrastructure control plane, an ac vity that most blue teams are not looking for and that never requires them to become root. It's important to monitor your entire infrastructure, not just your important data. Many companies put all their security resources where their sensi ve data is and leave everything else wide open. However, this overlooks the less obvious routes to your sensi ve data. Monitoring the en re infrastructure will increase the chances of detec ng an a ack early and decrease the me to inves gate, especially as detec ng reconnaissance at the edge becomes increasingly difficult. Attackers aren't always looking for large amounts of data. In this case, it appears that the actor was seeking a small amount of very specific data. Data can be extracted by copying and pas ng or even taking a screenshot, so it's important to add mul ple layers of detec on, including access to the data, not just changes to the file itself. S T E P 4 The Threat Stack Cloud Security Platform ® monitors cloud, multi-cloud, hybrid and containerized infrastructure for intrusions, anomalies, vulnerabilities, trends, and misconfigurations across the host and infrastructure control plane. Request a demo today or visit us at visit us at threatstack.com. INFRASTRUCTURE CONTROL PANE HOST-LEVEL Key Takeaways

Articles in this issue

Links on this page

view archives of eBooks & Reports - InsideADockerCrypto_Whitepaper_Final