Issue link: https://insights.oneneck.com/i/1481435
©2022 Alert Logic, Inc. The information contained in this document is confidential and only for the use of the intended recipient. You may not publish or redistribute this document without advance permission from Alert Logic. AlertLogic.com Container popularity continues to grow at an astounding rate. According to a study by the Cloud Native Computing Foundation (CNFC), 1 the use of containers grew 300% from 2016 to 2020. A 2022 global study from CNFC reveals 96% are using or investigating Kubernetes. There are millions of applications packaged as container images and that number is expected to exceed 500 million by 2023 per IDC. 2 As organizations rush to leverage the low overhead, power and security that comes with containerization, it's only logical that container-based attacks will grow in popularity as well. No matter how secure containers appear, we already know nothing is hack proof. We know it's a safe bet that attackers—and researchers trying to thwart these attackers–will continue to look for ways to attack the virtualization process.It is in our best interest to stay on top of best practices. Luckily, outside of the vulnerabilities that could affect software running inside the container, the biggest security issues that impact these virtual environments are absent the possibility of some unknown misconfiguration— memory corruption vulnerabilities. To understand the implication of these low-level attacks, consider this recent example: In 2020 there was a vulnerability found in Docker Engine up to 19.03.10 (CVE-2020-13401). This could allow an attacker to perform man-in-the-middle attack (MitM) against another container or the host's network. In another instance, security researcher was ableto break out of the container memory isolation (CVE-2017-5123) using a kernel vulnerability in the waitid() system call to modify the container capabilities and ultimately elevate privileges. Prior to that, the Dirty Cow vulnerability (CVE- 2016- 5195) allowed attackers to write to a read-only mounted file to elevate privileges. To limit your attack exposure, it's best to engage in best practices to prevent attackers from achieving the lower-level permissions they need to attain privileged access to begin with. Best Practices PERMISSIONS – As with any software, you should run your container process using the lowest privileges possible. Luckily, Docker and Kubernetes sub-processes should not run with root privileges out of the box; however, you should be mindful of any container-based actions you make using the root account. IDS/LOG MONITORING, AUTOMATION AND ACTION PLANS – You should always keep an eye on what is going on in your environment and have predetermined action plans on what to do should there be a service interruption. Container IDS can provide you with a holistic view of network traffic between containers and security alerts based on bad or malicious traffic, while Logs provide the forensic data necessary to uncover what is going on at the system level. Using these practices in tandem provides a solid foundation for detecting threats both between and within active containers in real-time. (Note: For continuous logging on Docker you may have to configure the default logging driver to write logs to your desired location (/var/log/, /var/ log/ docker/). RECOVERY BACKUPS – This goes hand and hand with the previous best practice.. Always create backups at important time intervals, such as before updates or any major development changes. Also, schedule regular automatic updates for disaster recovery purposes. TRUSTED SOFTWARE ONLY – You should only pull images from well known, trusted image repositories. It may be tempting to (after reading a good article on a random blog or receiving a link) pull an image from an unknown repository, but you shouldn't. If you can't find the images you want within trusted repositories, there's probably a reason for this. LIMIT SYSTEM RESOURCES – Using container orchestration frameworks like Docker Swarm and Kubernetes you can limit memory allocation, which can help reduce DOS attacks and general resource hogging. A HEALTHY HOST IS A HAPPY HOST – Focusing on your container health is great, but don't forget to keep your main host up-to-date and healthy with periodic restarts. PORTABILITY IS KEY – Make sure your approach operates across multiple platforms so you can securely man- age containers across platforms, in hybrid environments, and on-premises. THINK BIG PICTURE SECURITY – Whether you're using containerization for development or running pro- duction servers for ecommerce, outline your goals and security posture before you make any moves; this way, nothing is overlooked. In large production or development environments it's easy to overlook or simply forget about the smaller parts. JOIN A COMMUNITY FORUM – Docker, AWS, Azure, Kubernetes, etc. all have either their own support forums or there are other independent forums built around these. Find a popular community and join the conversation. 1 - Cloud Native Computing Foundation, CNCF SURVEY 2020, published November 17, 2020 2 - IDC, Containerizing Key Business Workloads: Meeting End-to-End Kubernetes Data Service Needs for Enterprise Applications