SlideShare a Scribd company logo

Container intrusions Do You Even IDS

Download as PPTX, PDF
Alfredo Hickman, profile picture
Alfredo Hickman

The document discusses the foundational benefits and security challenges of Linux application containers, emphasizing the shift in intrusion detection from traditional to container networks. It presents a security primer that includes various vulnerabilities, the effectiveness of different intrusion detection systems (IDS), and criteria for evaluating their performance. The findings indicate that the field is evolving with ongoing vulnerabilities and threats requiring continuous research and testing.

Technology
Related topics:
Intrusion Detection
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1SANS Technology Institute - Candidate for Master of Science Degree 1 Container Intrusions: Do You Even IDS? Alfredo Hickman April, 2018 GIAC GCIA, GPEN, GCIH, GSEC
SANS Technology Institute - Candidate for Master of Science Degree 2 Objectives • After this presentation, you’ll have a foundational understanding of Linux application container benefits and history. • You’ll be empowered with a security primer on Linux application containers. • You’ll understand the paradigm shift between intrusion detection and analysis in traditional vs. container networks. • You’ll be able to tests and assess different classes of container IDSs for effectiveness.
SANS Technology Institute - Candidate for Master of Science Degree 3 Linux Containers: Benefits and History 1979 Unix v7 Change Root (chroot) Early 2000’s FreeBSD Jails, Linux VServer, Solaris Zones 2002 – 2007 Control Groups (cgroups), Namespaces 2008 – 2014 LXC, Docker, rkt
SANS Technology Institute - Candidate for Master of Science Degree 4 Linux Containers: a Security Primer • Containers security challenges: complexity and speed
SANS Technology Institute - Candidate for Master of Science Degree 5 Linux Containers: a Security Primer • The lack of scholarly research into container security
SANS Technology Institute - Candidate for Master of Science Degree 6 Linux Containers: a Security Primer • The vulnerability and threat landscape of Linux containers • Synergistic-power attack • Process isolation escape • Data leakage attacks (emanations) • Spectre/Meltdown – memory read bounds control and process isolation violation • Compounded vulnerabilities • Microservices and deployment density surface area
SANS Technology Institute - Candidate for Master of Science Degree 7 Linux Containers: a Security Primer • Container security platforms and CI/CD pipeline security • Code contributor identity and access controls • Code commit integrity validation • Vulnerability management (host, packages, images) • Network, host, and container runtime component hardening • Log management, security analytics, and threat hunting
SANS Technology Institute - Candidate for Master of Science Degree 8 • Intrusion detection and analysis in traditional networks • Static or pre-defined application network port mappings • Linux kernel audit (some kernel tapping) • Network interface tapping • Network traffic profiling and security analytics Linux Containers: a Security Primer
SANS Technology Institute - Candidate for Master of Science Degree 9 • Intrusion detection and analysis in container networks • Bag of System Calls (BoSC) • Kernel tapping modules (common place) • Network interface tapping (software overlay networks) • Network observability analytics • Adaptive application traffic profiling • Adaptive application network port mapping Linux Containers: a Security Primer
SANS Technology Institute - Candidate for Master of Science Degree 10 Lab Environment
SANS Technology Institute - Candidate for Master of Science Degree 11 • Detection of scanning activity • Detection of application attacks • Detection of malware deployment • Detection of malware execution • Detection of malicious command and control • Detection of malicious privilege escalation IDS Effectiveness Criteria & Test Cases
SANS Technology Institute - Candidate for Master of Science Degree 12 IDS Effectiveness Criteria & Test Cases • Detection of malicious data exfiltration • Detection of file integrity violations • Detection of leaked system data • Auto-detection of anomalous behavior • Auto-detection of attacker, victim, infrastructure relationship • Capability for forensic artifact retrieval (PCAP, flow, logs)
SANS Technology Institute - Candidate for Master of Science Degree 13 Points Criteria 1 Not effective (method did not work) 2 Moderately effective (method worked, but did not allow for complete functionality, or equivalent to a traditional network implementation) Note: potential for assessor bias 3 Effective (method worked as effectively as a traditional network implementation) Scoring System
SANS Technology Institute - Candidate for Master of Science Degree 14 • Scenarios and Results • Security Onion with Snort and OSSEC protecting a virtualized web server hosting DVWA = 44 • Security Onion with Snort and OSSEC protecting a Dockerized web server hosting DVWA = 40 • Wazuh with OSSEC HIDS and PCI DSS module protecting a Dockerized web server hosting DVWA = 38 • Sysdig Falco with the falco-probe kernel module protecting a Dockerized web server hosting DVWA = 43 Research Review & Results
SANS Technology Institute - Candidate for Master of Science Degree 15 • Intrusion detection and analysis in traditional vs. container networks • Research, testing, and results • The field is hot, the practice is young, the vulnerabilities are ongoing, and the threats are real Summary

More Related Content

PPTX
Object Broker Infrastructure for Wide Area Networks
Vaidas Brundza
 
PDF
Securing your Kubernetes applications
Néstor Salceda
 
PDF
Incident Response in Cyber-Relevant Time - OpenC2
Vasileios Mavroeidis
 
DOCX
Ian Powers Resume
Ian Powers
 
PDF
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
PDF
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
PDF
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
Object Broker Infrastructure for Wide Area Networks
Vaidas Brundza
 
Securing your Kubernetes applications
Néstor Salceda
 
Incident Response in Cyber-Relevant Time - OpenC2
Vasileios Mavroeidis
 
Ian Powers Resume
Ian Powers
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 

What's hot (20)

DOCX
52
ieeeprojectsvadapalani
 
PDF
Ofer rivlin BGU - department seminar
Ofer Rivlin, CISSP
 
PPTX
Under-reported Security Defects in Kubernetes Manifests
Akond Rahman
 
PDF
OTechs Hacking and Penetration Testing (BackTrack/Kali) Training Course
Osman Suliman
 
PPTX
What Questions Do Programmers Ask About Configuration as Code?
Akond Rahman
 
PDF
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
PDF
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
DOCX
36
ieeeprojectsvadapalani
 
PPTX
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
Ayanda Demilade
 
PPTX
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
PDF
Security Testing ModernApps_v1.0
Neelu Tripathy
 
PPTX
Hunting on the Cheap
EndgameInc
 
PPTX
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
PPT
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
PPTX
Verigraph
Iben Rodriguez
 
ODP
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
PDF
Syrian Malware
Kaspersky
 
PDF
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
PPTX
AusCERT 2016: CVE and alternatives
David Jorm
 
PPTX
Web Security Workshop : A Jumpstart
Satria Ady Pradana
 
52
ieeeprojectsvadapalani
 
Ofer rivlin BGU - department seminar
Ofer Rivlin, CISSP
 
Under-reported Security Defects in Kubernetes Manifests
Akond Rahman
 
OTechs Hacking and Penetration Testing (BackTrack/Kali) Training Course
Osman Suliman
 
What Questions Do Programmers Ask About Configuration as Code?
Akond Rahman
 
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
Monitoring & Securing Microservices in Kubernetes
Michael Ducy
 
36
ieeeprojectsvadapalani
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
Ayanda Demilade
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Security Testing ModernApps_v1.0
Neelu Tripathy
 
Hunting on the Cheap
EndgameInc
 
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
Verigraph
Iben Rodriguez
 
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Syrian Malware
Kaspersky
 
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
AusCERT 2016: CVE and alternatives
David Jorm
 
Web Security Workshop : A Jumpstart
Satria Ady Pradana
 
Ad

Similar to Container intrusions Do You Even IDS (20)

PPTX
Understanding container security
John Kinsella
 
PDF
ML13198A410.pdf
KalsoomTahir2
 
PDF
ML13198A410.pdf
ParasPatel967737
 
PDF
We live in the earh seventy or eight years
AyalewWakeyo1
 
PDF
ML13198A410.pdf
ParvezAhmed59842
 
PDF
shivam sahu (firewall).pdfb jndvhjfvhjjf
sahushivam4928
 
PDF
An Attacker Looks at Docker: Approaching Multi-Container Applications
Priyanka Aash
 
PDF
An Attacker Looks at Docker: Approaching Multi-Container Applications
Priyanka Aash
 
PDF
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
PDF
Offensive cyber security engineer updated
InfosecTrain
 
PDF
Offensive cyber security engineer
ShivamSharma909
 
PDF
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
PPTX
Containers and Security for DevOps
Salesforce Engineering
 
PDF
Soc analyst course content
ShivamSharma909
 
PDF
Soc analyst course content v3
ShivamSharma909
 
PPTX
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
CREST
 
PDF
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
PDF
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
PDF
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
PDF
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Understanding container security
John Kinsella
 
ML13198A410.pdf
KalsoomTahir2
 
ML13198A410.pdf
ParasPatel967737
 
We live in the earh seventy or eight years
AyalewWakeyo1
 
ML13198A410.pdf
ParvezAhmed59842
 
shivam sahu (firewall).pdfb jndvhjfvhjjf
sahushivam4928
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
Priyanka Aash
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
Priyanka Aash
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer
ShivamSharma909
 
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Containers and Security for DevOps
Salesforce Engineering
 
Soc analyst course content
ShivamSharma909
 
Soc analyst course content v3
ShivamSharma909
 
Mining Software Repositories for Security: Data Quality Issues Lessons from T...
CREST
 
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Ad

Recently uploaded (20)

PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
What is a Computer? Input Devices /output devices
GulJan8
 

Container intrusions Do You Even IDS

  • 1. 1SANS Technology Institute - Candidate for Master of Science Degree 1 Container Intrusions: Do You Even IDS? Alfredo Hickman April, 2018 GIAC GCIA, GPEN, GCIH, GSEC
  • 2. SANS Technology Institute - Candidate for Master of Science Degree 2 Objectives • After this presentation, you’ll have a foundational understanding of Linux application container benefits and history. • You’ll be empowered with a security primer on Linux application containers. • You’ll understand the paradigm shift between intrusion detection and analysis in traditional vs. container networks. • You’ll be able to tests and assess different classes of container IDSs for effectiveness.
  • 3. SANS Technology Institute - Candidate for Master of Science Degree 3 Linux Containers: Benefits and History 1979 Unix v7 Change Root (chroot) Early 2000’s FreeBSD Jails, Linux VServer, Solaris Zones 2002 – 2007 Control Groups (cgroups), Namespaces 2008 – 2014 LXC, Docker, rkt
  • 4. SANS Technology Institute - Candidate for Master of Science Degree 4 Linux Containers: a Security Primer • Containers security challenges: complexity and speed
  • 5. SANS Technology Institute - Candidate for Master of Science Degree 5 Linux Containers: a Security Primer • The lack of scholarly research into container security
  • 6. SANS Technology Institute - Candidate for Master of Science Degree 6 Linux Containers: a Security Primer • The vulnerability and threat landscape of Linux containers • Synergistic-power attack • Process isolation escape • Data leakage attacks (emanations) • Spectre/Meltdown – memory read bounds control and process isolation violation • Compounded vulnerabilities • Microservices and deployment density surface area
  • 7. SANS Technology Institute - Candidate for Master of Science Degree 7 Linux Containers: a Security Primer • Container security platforms and CI/CD pipeline security • Code contributor identity and access controls • Code commit integrity validation • Vulnerability management (host, packages, images) • Network, host, and container runtime component hardening • Log management, security analytics, and threat hunting
  • 8. SANS Technology Institute - Candidate for Master of Science Degree 8 • Intrusion detection and analysis in traditional networks • Static or pre-defined application network port mappings • Linux kernel audit (some kernel tapping) • Network interface tapping • Network traffic profiling and security analytics Linux Containers: a Security Primer
  • 9. SANS Technology Institute - Candidate for Master of Science Degree 9 • Intrusion detection and analysis in container networks • Bag of System Calls (BoSC) • Kernel tapping modules (common place) • Network interface tapping (software overlay networks) • Network observability analytics • Adaptive application traffic profiling • Adaptive application network port mapping Linux Containers: a Security Primer
  • 10. SANS Technology Institute - Candidate for Master of Science Degree 10 Lab Environment
  • 11. SANS Technology Institute - Candidate for Master of Science Degree 11 • Detection of scanning activity • Detection of application attacks • Detection of malware deployment • Detection of malware execution • Detection of malicious command and control • Detection of malicious privilege escalation IDS Effectiveness Criteria & Test Cases
  • 12. SANS Technology Institute - Candidate for Master of Science Degree 12 IDS Effectiveness Criteria & Test Cases • Detection of malicious data exfiltration • Detection of file integrity violations • Detection of leaked system data • Auto-detection of anomalous behavior • Auto-detection of attacker, victim, infrastructure relationship • Capability for forensic artifact retrieval (PCAP, flow, logs)
  • 13. SANS Technology Institute - Candidate for Master of Science Degree 13 Points Criteria 1 Not effective (method did not work) 2 Moderately effective (method worked, but did not allow for complete functionality, or equivalent to a traditional network implementation) Note: potential for assessor bias 3 Effective (method worked as effectively as a traditional network implementation) Scoring System
  • 14. SANS Technology Institute - Candidate for Master of Science Degree 14 • Scenarios and Results • Security Onion with Snort and OSSEC protecting a virtualized web server hosting DVWA = 44 • Security Onion with Snort and OSSEC protecting a Dockerized web server hosting DVWA = 40 • Wazuh with OSSEC HIDS and PCI DSS module protecting a Dockerized web server hosting DVWA = 38 • Sysdig Falco with the falco-probe kernel module protecting a Dockerized web server hosting DVWA = 43 Research Review & Results
  • 15. SANS Technology Institute - Candidate for Master of Science Degree 15 • Intrusion detection and analysis in traditional vs. container networks • Research, testing, and results • The field is hot, the practice is young, the vulnerabilities are ongoing, and the threats are real Summary