Black Hat USA Recap - Interviewing Aqua Security
Black Hat USA Recap - Interviewing Aqua Security
In part two of his interview with Aqua Security, Zone Leader John Vester interviews Sagie Dulce about his recent presentation at Black Hat USA
Join the DZone community and get the full member experience.Join For Free
In August, I had the opportunity to talk with Michael Cherny, who is the Head of Research at Aqua Security. The "Are Your Containers Secure?" interview focused on how the team at Aqua Security is providing solutions for container security. In part two of my interview with the team at Aqua Security, the focus will be on the Black Hat USA presentation and other security topics that came to mind during the discussion.
Michael was planned to be on the presentation team in late July at the Black Hat USA event in Las Vegas, NV, but opted to miss the conference due to the birth of his child. As a result, I was able to talk with Sagie Dulce - who led the Aqua Security presentation entitled, "Well, that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass, and Persistence in the Hypervisor via Shadow Containers."
According to his bio, Sagie Dulce is a Cybersecurity researcher with over 10 years of experience. Sagie started his cybersecurity career in the intelligence unit 8200 of the IDF, where he performed mostly offense research. From there, Sagie moved to the private sector in Imperva; focusing on defenses against advanced attacks. Sagie is currently working for Aqua Security, where he explores new defenses and attacks in the virtualized container sphere.
John Vester: Speaking at BlackHat US had to be a pleasure. What reception did you and your products receive?
Sagie Dulce: I think the session resonated well with the crowd, people came to ask questions after it and in general the interest was evident. Additional evidence is the media coverage we got before and after the session. Container technology had a big impact on this year’s Black Hat. There were many talks and great interest in the technology and its security implications.
From your perspective, what is the number one target for attack (and why)?
I don’t think there is a number one target. It differs for each organization, and for each attacker (as they choose a target based on their skills). The weakest link is the best target – whatever gets the attacker inside as simply as possible will be the target – whether it is done via SQL injection or through malicious email.
In my talk, we discussed how developers can become targets. A developer is a very lucrative target from an attacker’s standpoint. They often have high privileges on their workstations, coupled with access to sensitive information (code, internal assets, development pipeline etc.).
Following up on the question above, how can those potentially impacted minimize their exposure of being vulnerable?
In the context of the attack we presented, in order to minimize exposure, we suggest to continuously monitor development and production environments for signs of malicious behavior. In our case, this is the existence of Shadow Containers, or the injection of malicious code into the repository.
The container concept is intended to makes things better.
One thing I like about containers is being able to start with another base container and build on top of that. How do I protect myself from being the victim of a vulnerability that I am inheriting in my container?
You should address these problems both statically (i.e., scanning) and dynamically during runtime. Always scan images for vulnerabilities, and also profile your containers and look for anomalies.
Another best practice we see is the enforcement of using only specific approved base images so that companies can keep a standardized configuration, which also keeps the attack surface manageable.
I saw that Aqua Security made the discovery regarding TCP being enabled by default with Windows 10 containers, leading to an opt-in fix in Docker 17.05.0. How did your team identify this vulnerability?
It was well documented and easily discoverable from Docker’s configuration. The open TCP may not have been a vulnerability on its own, but the use of the Docker API from a remote web page is what enabled us to execute an attack. As you noted, once we explained that to the Docker team they quickly fixed that default setting.
Can you describe what is involved with a host rebinding attack (and how it can be mitigated)?
Host rebinding is basically the spoofing of different IP addresses to host requests over the LAN. Protocols such as NetBIOS, LLMNR, and MDNS are vulnerable to such attacks. In this attack, a locally hosted web page can bypass the Same Origin Policy of web browsers by performing a Host Rebinding attack on the local LAN, or even (as is in our attack) against the local host running a virtual machine.
The benefits of using such an attack (over DNS Rebinding, for example) is that it is not detected by perimeter security – as the entire attack happens over the local network.
To mitigate Host Rebinding, it’s best to disable protocols that can support the attack in the first place – such as LLMNR, NetBIOS, and mDNS. Also, internal network monitoring tools can ensure that this attack does not occur on the LAN.
In our last interview, we simply glazed over the surface on how Aqua Security can provide value to their customers. Based upon your BlackHat US session, what vulnerabilities does Aqua Security protect from or minimize from impaction?
We help organizations secure their entire container environment from development to production. Our approach allows us to detect and mitigate known vulnerabilities, based on multiple sources and in multiple languages and OSs. Moreover, the way in which Aqua monitors container activity in runtime and applies a whitelisting model on permitted activities allows us to block any activity that seems malicious thus preventing zero-day attacks.
Thank you, so much, for your time!
For those interested, additional information from Sagie's Black Hat USA presentation can be found at the link below:
Have a really great day!
Opinions expressed by DZone contributors are their own.