Containers are used to run applications independently from the runtime environment. I still mentally picture containers as the embodied little bubbles of object-oriented design from OODA tools. Containers stand on their own and don’t require a full VM to operate. Container security isn’t just application security with a different name because that independence brings new technology, such as securing the whole container pipeline, and that means a new attack surface.
Microservices in containers are used to orchestrate services like storage, networking and security. Those sound like 3 things criminals are interested in.
Orchestration tools such as Kubernetes and Docker are used to handle all the, well…, orchestration, of making sure all these containers and microservices are, well, well-orchestrated. This type of complexity and fog are also what attackers like to use to avoid detection, gain privileges, and move laterally.
That complexity is like the smallest Russian Doll in a set that includes, at a minimum, the network, workload, operating system, application, and container.
Why a Framework for Containers?
All of the complexity demands something to make sense of it all. Builders, operations teams and security teams need a single language to understand the risk associated with containers.
The MITRE ATT&CK Framework continues to evolve by adding known attack profiles and new attack techniques. Most recently they added the MITRE ATT&CK Matrix for Containers.
This matrix is significant in 3 ways.
As an aside, it is interesting that the overwhelming number of container involved attacks are in support of crypto-jacking/cryptomining.
How Trend Micro Answered the Call
I’m also really proud of how Trend Micro responded to MITRE’s call to the community. Our research team was able to collaborate with MITRE to provide evidence of real-world attacks that supported 7 MITRE Techniques. Two of these techniques are new and unique to ATT&CK for Containers.
The involvement by Trend Micro means two things for customers:
I’ll give the closing comments over to the quote from Jen Burns from MITRE, who says it better:
“Trend Micro was one of the companies that answered our call to the community when we began developing ATT&CK for Containers through the Center for Threat-Informed Defense,” said Jen Burns, a lead cybersecurity engineer at MITRE. “We are all working to help companies stay protected against attacks using knowledge bases like ATT&CK as a common language. Contributors like Trend Micro, with expertise and experience with real-world attacks, help us support the security community in reaching that goal.”