Containers as Cyber Security Black Holes

By: Shenhav Yahav - Cyber Security Analyst   |   Updated: 5/17/2020

In Stephen Hawking's The Theory of Everything, he explains that while our knowledge and understanding of black holes has improved quite significantly in the last few decades, what happens inside black holes, however, still remains one of the greatest mysteries of space. Upon hearing this, I instantly made a connection to containers. When you think about a container, not many know what they are, what their purpose is, and especially how they work. The Container world is relatively new, especially when it comes to cyber security.

So what is a container, you ask? A Container is a method of packaging an application so it can be run, with its dependencies, isolated from other processes. Different applications may need different environments, Operating Systems, and dependencies to run. With containers, however, it's consistent across the board. This technology is all about speed and makes serverless (or FAAS) possible.

Containers are created out of layers of files often called container images. Images consist of the binaries, libraries and source code which make up an application, along with the metadata on how to run the application - these are considered the building blocks of containers. In this sense, the container is the running instance of an image.

A collection of image versions (tags) is called a repository. When these are collected, it makes what is known as a registry. Hosting all the images in one stored location allows users to commit, identify and pull images when needed. Container management is near impossible to maintain without deployment, orchestration and management tools such as Kubernetes (k8s) and Docker.

After I've explained the terms you need to know to understand container technology, let's observe it from a cyber-security point of view.

According to "March/April 2020 Infosecurity Professional Magazine", the 6 top cloud security threats are:

  1. Improperly configured containers
  2. Compromised credentials
  3. Weak identity and access management safeguards
  4. Excessive use of privileged accounts
  5. Misconfigured cloud storage
  6. Lack of visibility

Not surprising that containers take the notorious first place (and numbers 3 and 6 if you consider the lack of visibility and misusing instance access control … and you should). 

Companies from small to large are now using container technology (both on cloud and on-premise). How can you be sure that the container environment and the applications that run are safe from cyber threats? Do you trust your developers to decide what a safe image is (build an image)? Which image sources should you trust? How do you control and maintain these images? How do you manage the registry? Is your build secure, or does it have any vulnerabilities? How often do you update the host environment? Can you detect anomalies in the environment?

A Container is not an easy thing to secure; it includes everything from the applications they hold to the infrastructure they rely on. Steps need to be taken in multiple areas and layers, securing the container pipeline and the application, securing the container deployment environment and infrastructure, integrating with enterprise security tools and meeting or enhancing existing security policies.

Here are some guidelines for securing a container environment:

  • The base image is the most important for security purposes because it is used as the starting point from which you create derivative images. Container security starts with finding trusted sources for base images. It is recommended to tag approved images and block the use of unapproved images.
  • Make sure to track and flag builds with security issues. It is preferable to rebuild a container than patch it.
  • Actively search for vulnerabilities (CVE's) in the image, app dependencies and OS dependencies. It's important to realize that most, if not all, images will have CVE's, so the job is to understand what is acceptable in the organization.
  • Environment separation is required in any network, and container technology isn't different. By using namespaces, you can separate container environments. Furthermore, limiting container's resource usage is possible with control groups, thus, avoiding DOS.
  • Always avoid using default security configurations, in any system, and particularly in containers.
  • Use identity and access management in a correct manner.
  • Don't run apps in containers as root.
  • Don't expose the docker TCP socket to the internet

Make sure that registry metadata is available to manage the image repositories and track known vulnerabilities. More information about registry configuration can be found here

  • Safe image sources tip: official repositories don't have forward slashes ("/") in their name. For example: "nginx". They also have sound defaults and best practices built into them.
  • Once the healthcheck determines a container unhealthy, you should expect the orchestration tool to replace the task.
  • A Pod (k8s instance) network is crucial to keep container environments safe (through segmentation and firewalling). Think of a firewall, just like you wouldn't enable "any any Allow", the same goes for pods network.
  • Assign automated policies where possible. 
  • Update, update, and update again the container environment (container, host OS).

There are so many questions regarding containers, and fortunately we are beginning to find answers to help protect container environments.

Some companies offer CWPP or Cloud Workload Protection Platform which provides visibility and compliance, compute security, network security (segmentation, firewalling and network visibility), anomaly detection, and identity security. Also, the CIS (Center for Internet Security) benchmarks should be used when deploying Docker or Kubernetes.

In security, always consider the CIA triad- integrity, availability and confidentiality. Remember, cybersecurity is not a destination, but rather a journey that never ends.