New attack vectors need new tools…
Houston-headquartered cybersecurity company Alert Logic today announced the industry’s first network intrusion detection system (IDS) dedicated to protecting containers – widely used isolated environments for running software services.
The toolkit can monitor containers deployed on AWS including Docker, Amazon Elastic Container Service, Kubernetes, CoreOS, and AWS Elastic Beanstalk. Support for additional cloud-deployed containers will be available before the end of the year.
What does it Do?
It analyses the signature of data packets as they traverse containers. The company also offers protection against a broad range of server-side threats — including web application attacks like SQL injection, path traversal and cross-site scripting.
Chris Noell, Senior Vice President, Engineering at Alert Logic, said: “Network intrusion detection is critical to providing the visibility into container attacks that other approaches miss.” He described the IDS as “the only security solution in the market that addresses container visibility at the network layer.”
“Although container technology is relatively new, it’s already a ‘go to’ code deployment strategy for Logicworks,” said Steven Zeller, Vice President, Product Marketing for Logicworks. He added that as a result of their increasingly wide use, reassuring customers that specific security measures were in places was vital.
But Can You Hack Containers, Like, Badly?
Sagie Dulce, a senior security researcher for Aqua Security is among those to have highlighted container vulnerabilities.
In a paper published at last year’s Black Hat cybersecurity conference, he showed how by creating a container that is both persistent and concealed, attackers can execute commands against the Docker daemon – a program that runs in the background – to gain and exploit root access inside the virtual machine environment.
This kind of access also allows malicious actors to find more open ports and infect additional machines, Dulce said. Docker patched the vulnerability within two weeks.
He recommended not exposing container APIs through open ports and making sure that those who access APIs are authorized to do so. Dulce also recommended analysing container logs, disabling NetBIOS and LLMNR protocols, continuously scanning images in registries and monitoring containers.
What Are Containers Again?
Containers are a logical packaging mechanism in which applications can be abstracted from the environment in which they actually run.
This allows developers to focus on their application logic and dependencies, while IT operations teams can focus on deployment and management without bothering with application details such as specific software versions and configurations.
Like virtual machines, they allow you to package your application together with libraries and other dependencies, providing isolated environments for running your software services. But instead of virtualising the hardware stack like virtual machines do, containers virtualise at the operating system level, with multiple containers running on the OS kernel directly.