When Your Machine Lies To You

A word of caution about container runtime security solutions

One of my posts on Container Security and Application Security.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

Several companies have asked me about container runtime security solutions in my consulting calls (scheduled through IANS Research). Be aware that these solutions interact at a very low level with calls headed for your system kernel. I’m not going to get into the details too much here, but software can operate at different levels within a system — user space or kernel space. The container runtime solutions are a brilliant solution because you don’t have to depend on the security controls within a container or sidecars alone, but they also come with some inherent risks.

Given the number of supply chain attacks we’ve had recently, you’ll want to understand how these systems work at a low level and take measures to implement them securely. Perform a proper vendor assessment to ensure the companies providing this software are taking steps on their side to prevent a supply chain attack, as the consequences of that could be quite harmful given the nature of this software. Use a zero-trust approach for system management and updates.

Different methods exist for interacting with the system hosting the containers. Depending on which approach these vendors use to capture calls to the system kernel, you’ll have different types of risks. With some methods, you may risk bypass of the software intent on capturing system calls. Some may be replacing low level system software. With other approaches to capturing system calls, a history of CVEs exists in the particular manner used to capture the information. Those CVEs that occur deep in the system and could make detection extremely difficult.

All this software captures calls headed for your system kernel. The main problem with anything interacting with your system kernel is that a compromise of the kernel itself could make any output from that machine untrusted. Once an attack has control of the “brain” of your operating system, it can change any log or tool output you see from the operating system itself, so any investigation at the user interface level is pretty much useless at that point. You’ll need to dive much deep into memory, and sometimes malware can even trick memory analysis.

At that point, you’re relying on network traffic and other external means to deduce that something is going wrong since the system itself is lying to you. I’ve included some additional reading on kernel-mode rootkits at the end of this post if you want to dive deeper into this topic.

A container runtime security solution doesn’t replace all the functionality of sidecars. It doesn’t replace all the other security controls you need to protect your applications, containers, and container management solutions. As always, don’t place all your security in the hands of one technology. Leverage a defense-in-depth approach. And be aware that when you leverage low-level solutions that can impact the integrity of the outputs of your system, you’ll need to be extra careful. Ensure your systems are up to date and implement security controls to watch the watcher.

Rootkits: Kernel Mode - Infosec Resources

We have learned in part one of this series about the Rootkits and how they operate in User Mode; in this part of the…

resources.infosecinstitute.com

Rootkits

A rootkit is a set of malicious applications, which allows an adversary to access privileged software areas on a…

www.enisa.europa.eu

Kernel Rootkits

In Host Integrity Monitoring Using Osiris and Samhain , 2005 A rootkit is a collection of modified system applications…

www.sciencedirect.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize