Ekaterina Gainullina, Security Vision
Introduction
With the growing popularity of containers, many advantages have emerged. Containers are the backbone of microservices architecture that allow cloud applications of any size to be built. However, because of their popularity, containers are also a prime target for ransomware, hackers, and other threats.
As a result, enterprises that value robust security must be able to address common container security issues. While there is no one-size-fits-all solution, taking a comprehensive approach and using the right tools can make a big difference.
What security challenges do enterprises face?
First and foremost, in the context of using containers, enterprises face the challenge of identifying and remediating vulnerabilities in container images. Despite the isolating effect that containers provide to applications, outdated or misconfigured images can become vulnerable to attack. Such vulnerabilities create potential entry points for cyberattacks and can lead to the leakage of sensitive information. In 2023, more than 80% of data breaches involved data stored in the cloud.
An additional challenge for enterprises using containers is the potential threat of a supply chain attack. In the context of containerisation, a supply chain attack can occur as a result of malware compromising or injecting malicious code into container images or dependencies during build or deployment.
This form of attack can be particularly dangerous because malicious code can be distributed through official repositories of container images, making it difficult to detect. When an organisation uses such images, it not only puts its own systems at risk, but also spreads the threat to other organisations that may be using the same images.
Vulnerable docker hosts for mining
Researchers at Cado Security Labs have spotted a new campaign targeting vulnerable Docker services. This is the first documented case of malware using the 9hits app as a payload.
Attackers install the 9hits app on compromised Docker hosts to use the resources of these systems to generate traffic within the 9hits system and generate credits for themselves. The XMRig container mines cryptocurrency using a private mining pool associated with the attacker's dynamic DNS domain.
The result of compromised hosts is resource depletion as the XMRig miner consumes available CPU resources and the 9hits application uses significant bandwidth, memory, and any remaining CPU resources. This can prevent infected servers from operating normally and potentially lead to more serious breaches.
According to Cado security researcher Nate Bill, the discovery highlights the continuous evolution of attackers' strategies to profit from compromised hosts. It also highlights the ongoing vulnerability of insecure Docker hosts as an entry point.
How can Trivy help in this context?
Trivy is an open source vulnerability scanner designed for containerised environments. It addresses several security issues related to identifying and managing vulnerabilities in container images. Here are some of the problems that Trivy helps solve:
- Container image security: Trivy specialises in scanning container images for vulnerabilities. This helps identify security issues in the image such as outdated packages, known vulnerabilities, and misconfigurations.
- Base image security: Trivy can detect vulnerabilities in base images used to create other images. This is important because vulnerabilities in base images can propagate to dependent images, affecting the security of the entire containerised application.
- Package Vulnerability Detection: Trivy analyses the software packages installed in a container image and matches them against known vulnerability databases. It provides information about the specific vulnerabilities associated with each package, allowing users to take appropriate remediation actions.
- Comprehensive vulnerability database support: Trivy supports multiple vulnerability databases, including the National Vulnerability Database (NVD), Red Hat Security Data API, and others. This broad database support increases the accuracy and coverage of vulnerability detection.
- Integration with container orchestration: Trivy integrates with container orchestration platforms such as Kubernetes and Docker. This allows users to easily embed vulnerability scanning into their CI/CD pipelines, container registries, and deployment workflows.
- CI/CD Pipeline Integration : Trivy can be integrated into Continuous Integration and Continuous Delivery (CI/CD) pipelines to automatically scan container images during build and deployment. This helps ensure that only protected images are deployed in production environments.
- Misconfiguration Detection: Trivy goes beyond package vulnerabilities and can detect common misconfiguration errors in container images. This includes issues such as overly restrictive file permissions, access to sensitive information, and insecure settings that can pose a security risk.
- Multi-level scanning: Trivy analyses vulnerabilities at all levels of the container image, including the base image, dependencies and application-specific layers. This comprehensive approach provides a holistic view of the security posture of the entire image.
- Fast Scanning: Trivy is designed for speed and provides fast vulnerability scanning. This is especially important in CI/CD environments where fast feedback on security vulnerabilities is essential to maintain a secure software development lifecycle.
In addition to the above features, it is worth noting that Trivy is also capable of creating SBOM (Software Bill of Materials) files in SPDX (Software Package Data Exchange) format. These files are a structured list of all software components, including dependencies and vulnerabilities, used in containerised images.
SBOM files play an important role in the digital software delivery process as they provide transparency and clarity about software composition and security. They help organisations comply with security and regulatory rules and standards, and simplify vulnerability analysis and management during application development and operation.
Creating SBOM files with Trivy provides transparency and trust in the digital software delivery process, which is a key aspect in today's application development and deployment environment.
Results
In the context of securing containerised environments, the Trivy project is a tool with a wide range of features and capabilities. The results of the analysis emphasise the importance of using such tools to detect and remediate vulnerabilities in container images, thus ensuring a high level of security in the digital space. However, it should be borne in mind that its use should be complemented by security recommendations and practices suggested by professional analysts and industry standards. This includes regularly updating container images, strictly controlling access to containers and network resources, and monitoring and responding to anomalous events in the container environment.
In addition, it is important to take into account the characteristics of each specific environment and application when using Trivy, and to consider industry-specific security and compliance requirements or regulatory guidelines. Only an integrated approach to container security, which includes not only the use of tools but also informed practices and strategies, will enable organisations to effectively protect their container environments from threats and attacks.
