Cloud Native / Security

Sysdig Detects Lateral Movement Attacks Across Containers and Clouds

1 Apr 2021 2:02pm, by

Security systems provider Sysdig has added unified cloud and container security capabilities with the launch of Continuous Cloud Security Posture Management (CSPM). This single security pane of glass across clouds, workloads, and containers speeds up your ability to detect and respond to lateral movement attacks.

And, what’s a lateral movement attack you ask? Omer Azaria, Sysdig‘s vice president of engineering explained, “lateral movement is an attack pattern that occurs when a bad actor pivots through multiple systems and accounts to gain access to the objective target. After gaining initial access, the attacker tries to move deeper in search of sensitive data and other high-value assets.”

This is usually done, Azaria added, with “a vulnerable application that is publicly available can serve as an entry point. From there, attackers can try to move inside the cloud environment, trying to exfiltrate sensitive data or perform malicious activity such as crypto mining.”

These attacks happen more often you might think. Azaria cited the 2019 Capital One breach and the infamous 2017 Equifax breach as examples.

Here’s how it might work. The Sysdig Threat Research Team found that by exploiting an Apache vulnerability in a container, an attacker can secretly move into the cloud environment. From there they can expand the attack surface. In this instance, the attacker can then execute arbitrary code in the machine and open a reverse shell within the system. With that, you’re in real trouble. After escalating privileges, the attacker could use pod access to find exposed cloud credentials and eventually gain access to the broader cloud environment. At this point, they can steal sensitive data and make your life an utter misery. Just ask Capital One or Equifax security staffers.

To do this Sysdig has built its program on top of the open source Falco and Cloud Custodian. Falco, as most of you know, was created by Sysdig and is the Cloud Native Computing Foundation (CNCF)’s open source, cloud native runtime security project. It’s often used as a Kubernetes threat detection engine.

Cloud Custodian works in Amazon Web Services (AWS). There it works in concert with CloudTrail, which records all AWS API calls to a log file. Today, there are over 200 ready-to-run CloudTrail rules. More rules are being added at a rate of 20-50 new rules per month by both Sysdig and other contributors. While not as well known as Falco, Cloud Custodian has strong momentum in adoption, auto-remediation capabilities, and multicloud support.

Combined in Sysdig CSPM, the company states your security team can identify the entire attack chain and respond to threats faster. Specifically, Sysdig’s new Continuous CSPM includes:

  • Cloud Security Posture Management for AWS based on Cloud Custodian: Sysdig adds cloud asset discovery, cloud services posture assessment, and compliance validation. Cloud security teams can manage their security posture by automatically discovering all cloud services, as well as flagging misconfigurations and violations of compliance and regulatory requirements. These new features are based on Cloud Custodian, an open source, cloud infrastructure security tool.
  • Multicloud Threat Detection for AWS and GCP based on Falco: Sysdig adds support for cloud threat detection via Google Cloud Platform (GCP) audit logs. With this security, teams can continuously monitor for suspicious activity or configuration changes without relying on periodic configuration checks. That’s important because smart attackers can jump in, change an exposed configuration to access the cloud, then change it back immediately once they’ve made it inside. Static checks could miss these quick-change attacks.

In addition, all Sysdig events, including CSPM, compliance, container runtime, and AWS CloudTrail events can be sent to AWS Security Hub. This makes it even easier for security teams to respond to threats before they can cause havoc.

  • Cloud Risk Insights: Sysdig provides new visual insights across interconnected cloud and container security incidents, prioritized by risk levels. The goal is to give you instant visibility to see the entire cloud attack chain. Classifying incidents based on severity levels allows teams to prioritize what to investigate and respond to first. Your security crew can then investigate all suspicious activity to see just how bad it is and quickly begin responding to incidents.

Want to try it? You can for free. Sysdig is offering continuous cloud security for free, forever, for a single account. The company claims, “with easy onboarding, developers can begin to manage cloud posture within minutes. The free tier includes a daily check against CIS benchmarks and continuous threat detection to ensure the cloud environment remains in a secure, compliant and hardened state at all times.” Finally, it also includes inline scanning for AWS Fargate and Elastic Container Registry (ECR) for up to 250 images a month.

Feature image by Zbynek Burival on Unsplash

A newsletter digest of the week’s most important stories & analyses.