Approximately 17,000 security executives, analysts, hackers, academics and government/law enforcement staffers from 112 countries filled the Mandalay Bay Hotel for Black Hat USA 2018. Now in its 21st year, the conference was immediately followed by the 26th anniversary of DEF CON, a less corporate, more festival-like conference at Caesar’s Palace that attracted an even larger group of hacker-oriented attendees.
Together, the conferences were a whirlwind of sessions, contests and parties. There were a lot of intellectually curious, technically skilled people on hand, reveling in the duo that has become affectionately known as Hacker Summer Camp.
One of the enterprise security subjects that caught our interest during the conferences was container security.
The popularity of software container platforms such as Docker and Kubernetes has exploded over the past few years, as companies look for ways to get applications to run reliably when moved from one environment to another whether the target environment is a public cloud, a private data center or even a personal laptop. as Black Hat presenter Wesley McGrew pointed out, “This is likely to make life a lot easier for attackers.”
With containers, each application (or process) on a server gets its own environment to run that shares the host server’s operating system (OS). Since containers don’t have to load an OS, they can be created almost instantly. They can be spun up and taken down much faster than virtual machines (VMs)—taking mere seconds to create rather than the few minutes it takes to spin up a VM. They are also more portable, easy to scale and break complex applications down into modular micro-services. The same hardware can support a much greater number of containers than VMs, reducing infrastructure costs and enabling applications to deploy faster.
The application container market is expected to grow to nearly $3 billion by 2020 according to 451 Research.
However, the same elements that enable containers to increase agility also present security challenges.
- The use of a shared OS model means an attack on a vulnerability in the host OS could lead to a compromise of all containers.
- Traditional host-based security agents lack the context to enforce different policies on different containers in the same host.
- The breakdown of applications into base components (micro-services) transforms a small number of workloads into 10s or 100s that need to be managed.
- Because containers can be created in seconds, it is virtually impossible for traditional network and endpoint controls to keep up with the changes required to secure them.
- They create a new attack surface through the APIs and control plane, which introduce complexity in delivering the actual compute service, exposing application internals.
A DEF CON workshop called “Attacking & Auditing Docker Containers Using Open Source” focused on container security issues and vulnerabilities in Dockerised environments. Attendees learned how to find security misconfigurations, insecure defaults, and container escape techniques to gain access to host operating system (or) clusters; they also looked at real-world scenarios where attackers compromised containers to gain access to applications, data and other assets.
What You Can Do
Security teams need to be aware of container deployments that are planned or in process within the organization. A continuous vulnerability assessment and remediation program is an integral part of successful containerization initiatives.
- Use a hardened, patched OS for the host OS.
- Scan containers in development for configuration and vulnerability issues before production.
- Maintain standard configurations and container profiles.
- Use containers on a single physical host for workloads of similar trust levels until security gaps are addressed, or isolate containers using a virtual machine (VM) or physical hardware if trust levels are mixed.
- Control the extent to which containers interact internally, and limit the number of containers accessible to Docker groups through sockets or open ports.
- Enforce access controls to privileged accounts and operations for the deployment pipeline.
Container security providers offer tools for organizations using Docker, Kubernetes and other platforms. They provide full lifecycle vulnerability management and application-tailored runtime defense to help secure containers against threats. They can link containers to a predefined set of security templates so they can be created with security policies attached, isolate one workload from another, and prevent successful attacks on executing instances of software in the environment.