Container technologies and containerized applications have quickly matured from niche, fringe concepts to mainstream usage. Securing and protecting containers poses unique challenges—challenges StackRox is focused on addressing. Today, StackRox launched a new version of its flagship product–Detect and Respond 2.0—a container-native runtime security solution, which includes the new Adversarial Intent Model, or AIM.
According to a press release from StackRox, previous versions of Detect and Respond were focused on flexibility, configurability, and scalability. Detect and Respond 2.0 builds on that foundation to expand the scope of threat detection capabilities and add advanced automation features. AIM is a threat model developed by StackRox to guide and streamline threat research and detection within Detect and Respond.
Ali Golshan, CTO and co-founder of StackRox explains, “StackRox AIM is our model that describes how to focus on attacker “action choke-points” not topological ones. This capability gives StackRox the unique capability to focus on risk and threat detection, not just surfacing anomalies, with a focus on decisive responsive and hardening actions.”
Containers are a whole new world when it comes to vulnerabilities, exploits, monitoring and detection. A container environment is inherently dynamic and ephemeral—quickly scaling up or down to meet demand. StackRox researchers studied the container threat landscape and determined that existing frameworks for analyzing and characterizing attack behavior were inadequate when it comes to implementing an effective detection strategy for container threats. StackRox took what works, identified the gaps, and resolved the problems in them to come up with AIM.
AIM views the container threat landscape through an attack lifecycle comprised of five phases:
- Foothold. This is where an attacker gains initial access to a container environment. StackRox can detect reverse shell invocation enabled by generic initial exploitation vectors such as web or network-based exploits or Java-based code injection attacks.
- Privilege escalation. The attacker elevates privileges in order to gain broader access to the compromised environment.
- Persistence. The attacker establishes a means to remain resident in the compromised container environment without being detected.
- Lateral movement. The attacker will attempt to move from one vulnerable point of the network to another—conducting reconnaissance and establishing persistence on additional targets.
- Objectives. This is where the attacker achieves the intended goal or cashes in on the attack. Cryptocurrency mining software; exfiltration of sensitive content via reading stored secrets or accessing confidential file paths are all examples of potential objectives.
A more relevant and effective strategy for assessing attack behavior is great, but it is not the only improvement in Detect and Respond 2.0. The new release improves on its automation—particularly with developing a baseline of normal application behavior. An effective baseline allows Detect and Respond to accurately detect anomalous behavior that maps to one of the five elements of AIM.
StackRox states, “The result is the unique ability to continuously adapt our threat detection and maintain a high level of efficacy while minimizing false positives, even as application behavior changes.”
Containers are great and provide a variety of benefits for developers and organizations. They also need to be secured and protected, though, and that requires container-aware, or—better yet—container-native solutions that understand the unique threat landscape containers face. Combining automation through machine learning with the precision of a container-specific threat model like AIM can protect your containers more effectively so you can sleep better at night.