The enterprise technology space constantly changes as new solutions become available. Containers and Kubernetes have altered the development process forever. Since it runs directly on the OS kernel, it makes CI/CD a possibility with fast and mobile functionality. However, security flaws hold containers back from its true potential.
Security tools certainly help reduce issues, but it’s impossible to predict every new threat that arises. To understand what threats may be coming, we asked security professionals making solutions in this space. We interviewed Alert Logic global VP of solution engineering Mark Brooks, distinguished Ixia engineer Kris Raney, and Twistlock CTO John Morello.
We have already witnessed customers being impacted by botnet activity as well as cryptojacking. There is also the age-old issue of patching. As new vulnerabilities are discovered in any container platform or containerized workload, patches are released to mitigate the vulnerability risks. If developers are not updating to the latest version, unpatched systems become an entry point for command and control as well as data exfiltration.
Perhaps the biggest challenge, however, is a failure to learn from the past. When organizations initially started to embrace virtualized environments, we learned a lot about security and how innovative attackers are. In thinking about how to address container security, it is important to avoid being seduced by faster deployment speeds and reduced costs. Security still matters and failing to address it from the beginning just means you’ll pay a higher bill later in remediation costs and lost productivity in the face of an attack.
One thing I expect to see is published, compromised container images. Effectively a trojan horse. This could be a deliberate act or just an honest mistake. But it’ll happen from time to time.
The second thing I expect is techniques to weaponize innocent containers. An example of the concept is a DNS-based DDoS. You spoof a very small request to a bunch of DNS servers, and each one responds with a very large response to the victim address you spoofed as. The DNS server becomes an unwitting party in the attack. The same concept applies to microservices. “If I make this request to the service, it causes it to spam the database.”
It’s a specific case of a general class of threat I call “illegitimate uses of legitimate channels.” Superficially, the request comes in looking like any other, so you can’t block it at a firewall or based on some generic rule. But hidden within it is a malicious intent, and that’s only revealed by behavior. Quite possibly, it’s only apparent by looking at behavior holistically across many services. The DNS-based DDoS case is an example of this, one spoofed request to one DNS server isn’t noticeable and really isn’t a concern. Thousands of the same request distributed across thousands of servers makes a DDoS.
For the majority, the softest target is still your own apps. Whether you run those apps in containers or only in VMs, attackers will gravitate towards the path of least resistance. So, it’s less about what new threats come from containers and more about whether you capitalize on the security advantages containers and a cloud native security platform can provide. Manually creating firewall and IDS rules, or learning about vulnerabilities after deployment, is the wrong approach.