ALPS blog

Original article by Greg Young, VP of Cybersecurity

Containers are used to run applications independently from the runtime environment. I still mentally picture containers as the embodied little bubbles of object-oriented design from OODA tools. Containers stand on their own and don’t require a full VM to operate. Container security isn’t just application security with a different name because that independence brings new technology, such as securing the whole container pipeline, and that means a new attack surface.

Microservices in containers are used to orchestrate services like storage, networking and security. Those sound like 3 things criminals are interested in.

Orchestration tools such as Kubernetes and Docker are used to handle all the, well…, orchestration, of making sure all these containers and microservices are, well, well-orchestrated. This type of complexity and fog are also what attackers like to use to avoid detection, gain privileges, and move laterally.

That complexity is like the smallest Russian Doll in a set that includes, at a minimum, the network, workload, operating system, application, and container.

Why a Framework for Containers?

All of the complexity demands something to make sense of it all. Builders, operations teams and security teams need a single language to understand the risk associated with containers.

The MITRE ATT&CK Framework continues to evolve by adding known attack profiles and new attack techniques. Most recently they added the MITRE ATT&CK Matrix for Containers.

Source: MITRE
Source: MITRE

This matrix is significant in 3 ways.

  1. ATT&CK specifically includes a discrete resource for attacks involving container. OK, that one is obvious in significance – but it is big news.
  2. Orchestration level and container level attacks are in a single view. This is significant as SOC analysts following a container-involved attack will have a single container framework to consult, rather than two.
  3. MITRE issued a ‘call to the community’ via their Centre for Threat Informed Defense (CTID) to get the best information on container security and attacks. This is significant because reaching out the frontline of threat defense and vulnerability research to feed into the framework only makes it better. Not a lot of assessment or testing organizations have done that, so it is encouraging both in that it better reflects the reality that SOCs face. Too many security tool assessment criteria haven’t had enough real-world input, and we end up like those driving tests that over-stress hand signals and situations a driver will never face in the day-to-day. Three cheers for reality-based security.

As an aside, it is interesting that the overwhelming number of container involved attacks are in support of crypto-jacking/cryptomining.

How Trend Micro Answered the Call

I’m also really proud of how Trend Micro responded to MITRE’s call to the community. Our research team was able to collaborate with MITRE to provide evidence of real-world attacks that supported 7 MITRE Techniques. Two of these techniques are new and unique to ATT&CK for Containers.

The involvement by Trend Micro means two things for customers:

  1. Our container security solution aligns well with this framework, making protection easy to understand across an organization.
  2. The fact that our research helped influence the framework proves that our customers are well protected. This research informs our product direction and applies directly to threats blocked by our solutions, so our customers can rest assured that we have them covered.

I’ll give the closing comments over to the quote from Jen Burns from MITRE, who says it better:

“Trend Micro was one of the companies that answered our call to the community when we began developing ATT&CK for Containers through the Center for Threat-Informed Defense,” said Jen Burns, a lead cybersecurity engineer at MITRE. “We are all working to help companies stay protected against attacks using knowledge bases like ATT&CK as a common language. Contributors like Trend Micro, with expertise and experience with real-world attacks, help us support the security community in reaching that goal.”