In recent years, containerization has become a popular approach to application deployment and management. Containers enable developers to build more quickly and efficiently in the cloud by offering a convenient and streamlined way to package applications and their dependencies. While lightweight and portable, containerized environments introduce new attack vectors and risks such as runtime vulnerabilities, configuration errors and lateral movement between containers. Ensuring the security of containerized environments requires a comprehensive approach that involves multiple layers of security and continuous monitoring such as consistent vulnerability scanning and threat detection.
Recently, we’ve added agentless container security posture capabilities in the Defender Cloud Security Posture Management (CSPM) plan. Previously, to discover parts of the Kubernetes estate, the Defender Profile, deployed as part of the Defender for Containers plan, needed to be deployed on each cluster. Defender CSPM now collects inventory of the Kubernetes cluster, without the use of an agent and without dependency on Defender for Containers. These insights are included as part of the Cloud Security Explorer and Attack Path Analysis.
However, security posture management is not enough to get full visibility into potential threats and security risks. Defender for Containers and its’ agent-based capabilities are significant in detecting near real time threats on the cluster. In this blog, we highlight how Defender CSPM and Defender for Containers can be used to help organizations secure their containerized environments in the cloud.
Proactively detecting risk to the Kubernetes estate with Defender CSPM
On the back end, Defender CSPM utilizes a graph-based context engine that discovers all resources in an organization’s environment as well as connections such as internet exposure, all without an agent. By adopting an agentless approach, organizations can proactively eliminate concerns with deploying, maintaining, updating, or troubleshooting an agent, enabling them to focus on other critical tasks. By using the context engine, Defender CSPM provides two unique features to help organizations maintain their containers and Kubernetes security posture: the Cloud Security Explorer and Attack Paths.
- Through the Cloud Security Explorer, organizations can query the context engine via an interactive query builder. In the case of containerized environments, organizations get visibility into their containers and Kubernetes inventory including granularity such as pods and namespaces.
Scenario: Identifying pods running container images impacted by high severity vulnerabilities like Open SSLv3
In recent years, organizations were notified of Open SSL v3 vulnerabilities. An attacker could exploit the Open SSL v3 vulnerability by sending a malicious certificate to the server as part of client authentication and crash the server or execute remote code when it processes the certificates. Through the Cloud Security Explorer, organizations could proactively and quickly identify which container images were impacted by Open SSLv3 as well as the pods running those images.
From the list of resources to query, you can start out by selecting Container Images, then from the available conditions, select “Vulnerabilities”, “By CVE ID” and finally enter “3889” to filter for the Open SSL v3 vulnerability. By clicking the plus sign next to “Container Images”, you can also add the conditional to see which pods are running the containers. To see other entities detected on your container workloads in the Cloud Security Explorer, visit: Reference list of attack paths and cloud security graph components - Defender for Cloud | Microsoft Learn
- Using attack path analysis, organizations can also see exploitable paths on their container workloads that an attacker may use to breach their environment. Additionally, organizations can leverage recommendations on how to best remediate the attack path and prevent a successful breach.
Scenario: Detect internet exposed Kubernetes pod running a container with high severity vulnerabilities
An internet exposed Kubernetes pod increases the attack surface of the cluster by exposing the services in the pod to external networks. Internet exposure could allow unauthenticated access through techniques such as port scanning. If one container in the pod becomes compromised, other containers in the same pod are also at risk. The added layer of high severity vulnerabilities poses an additional threat. An attacker could gain network access to the pod and exploit the high severity vulnerabilities to then gain remote code execution capabilities on the container. Attackers can then use remote code execution to perform a variety of actions such as deploying ransomware, injecting malware into the container and stealing sensitive data, all of which are expensive for organizations to recover from.
Out of the box, Defender CSPM shows the attack path “Internet exposed Kubernetes pod is running a container with high severity vulnerabilities”. Defender CSPM simplifies the call to action by showing organizations which specific resources are impacted by this attack path as well as steps they can take to remediate the attack path.
The attack path starts out by showing us the specific entry point or in this case, the Azure Kubernetes Service (AKS) cluster. It then shows us the specific namespace inside the cluster that contain the ingress and service which route traffic to the pod running the container with high severity vulnerability.
Defender CSPM takes it a step further by even allowing you to select the high severity vulnerabilities that need to be remediated. Once the vulnerability is selected, you can click the "Open the vulnerability page" for a filtered view of the vulnerability.
In the remediation steps, Defender CSPM recommends resolving the recommend recommendation reporting on vulnerable images as well as hardening the internet exposure to the minimum required.
Identifying vulnerabilities on container images
Both Defender CSPM and Defender for Containers provide agentless vulnerability assessment (VA) scanning of images. Container image scanning is automatically enabled for Defender for Containers and Defender CPSM. If you are using Defender CSPM for container image scanning, the results are displayed in the recommendation “Container registry should have vulnerable images deployed (powered by Microsoft Defender Vulnerability Management)”.
Gaining visibility into threats detected on the cluster
Monitoring the control plane is a central part of Kubernetes security as it is responsible for managing the cluster as well as deploying and scaling the Kubernetes workload. At the workload level, containers are routinely running and interacting with each other to run an application. With Defender for Containers, organizations can get both runtime threat detection on the control plane and workload level.
Defender for Containers provides threat detection at the cluster level through analysis of the Kubernetes audit logs. At the workload level, Defender for Containers uses the Defender Profile or Defender agent that is deployed to every worker node on the cluster to gain visibility into different runtime processes on the workload. Both detection methods lead to over 60 Kubernetes aware analytics, AI, and anomaly detections that surface as Security Alerts.
Scenario: Detect containers with a sensitive volume mount
Through analysis of the Kubernetes audit logs, Defender for Containers alerts when there is a container with sensitive volume mount detected. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.
Detecting runtime threats on the data plane
Runtime threat detection involves monitoring the behavior of applications and systems on the cluster as well as workloads running on them. Defender for Containers deploys the Defender Profile, a Kubernetes native agent, to each worker node on the cluster to gain runtime visibility.
Scenario: Container running in privileged mode
A container running in privileged mode is one that has access to all the resources on the host system. While useful to perform actions requiring elevated privileges, this also poses a security risk because if compromised, an attacker may use the privileged container to gain access to the hosting pod or host. Through the Defender Profile, Defender for Containers can detect processes running within the container or directly on the node that indicates a container is running in privileged mode.
Conclusion
Security posture management can help to reduce the risk of a security breach, but it does not provide a full view into the threat landscape of an organization’s containerized environments. While Kubernetes is a powerful platform, it is also a complex system that requires a comprehensive approach to security. Microsoft Defender for Cloud offers two plans that help organizations target container security, Defender CSPM and Defender for Containers. In this blog, we explored the features in both plans and how organizations can leverage them to secure their containerized environments. For shift-left scenarios to secure the build stage of the pipeline, organizations should leverage Defender for DevOps.
Additional Information
Defender for Containers Documentation
Secure your Containers from Build to Runtime - YouTube
Leveraging Defender for Cloud to Simplify Policy Management
Defender for CSPM Documentation
Reviewers
Shani Freund Menscher, Product Manager 2
Miri Herszfang, Principal PM Manager