Cloud Native ChannelUncovering Malicious Behavior in Container Images at Runtime
The session covers the risks of supply chain attacks in software development and the importance of robust container security. Speakers Lena and Ali from Aqua Security introduce Aqua's patented DTA for analyzing container images and discuss real-world case studies. The discussion highlights the evolving container threat landscape, the sophistication of attacks, and the use of advanced techniques to evade detection. It emphasizes the importance of Aqua's DTA in detecting, preventing, and simplifying the identification of threats in container environments.
Transcript
Hello, everyone, and welcome to our session, Catch Me If You Can, Uncovering Malicious Behavior in Container Images. As software development increasingly relies on third party components, the risk of supply chain attacks has surged. In this session, we'll dive into how threat actors exploit public container images and discuss why vulnerability scanning alone just doesn't suffice for robust container security. Your speakers, we have Lena, product marketing manager, and Ali, a solutions architect here at Aqua Security, who will guide you through the evolving container threat landscape.
Together, we'll showcase Aqua's patented dynamic threat analysis, better known as DTA, which is a very powerful tool that helps DevSecOps teams to analyze container images, their runtime behavior, predeployment, forwarding malicious threats from impacting live applications. Throughout this video, you'll gain insights into the escalating threat of software supply chain attacks through public container images, real world case studies where DTA has helped organizations mitigate supply chain risks, enhance forensics, and bolster security postures. DTA's unique patented technology demonstrated live for you to showcase its superiority and catching unknown malicious behavior, and we'll share some actual tips that have been derived from our extensive experience in aiding numerous organizations to build robust container security programs.
So enjoy the session. Ask questions as we uncover the strategies and technologies that are crucial for protecting your container images against sophisticated threats. Let's get into it.
Thank you, Joe, for having us.
Ali, I have a question for you. Do you know what's one common thing between, these three pictures?
I know you've asked me to review my movie culture, Lena, but I have no idea what those have in common.
No worries. I'll explain it for you. So the first one is Frank Abagnale junior. It's the main character of the famous movie Catch Me If You Can with, Leo DiCaprio.
It's, a real man, it's a real person, and, he's a notorious con artist in all American history. History. The second one is Golden Snitch. It's the fastest and the smallest, ball used in Quidditch. It's from Harry Potter.
And the last one, but not the least, is, the Higgs boson. It's an elementary particle. It was a long searched form and the discovery, of this particle brought a Nobel Prize in physics. So do you have any ideas now?
Oh, wow. That last one was really technical.
I think I now get it. The the common theme around them is probably that they were all hard to catch?
Exactly. You're right. Storm, all the saints, all these persons and particles were really hard to catch. And, the same way as, you know, modern threats that are targeting container environments today, they are also really hard to catch.
Before we jump into the threat landscape, Lena, can you maybe remind us why containers are so important for modern organizations? Why do they matter, basically?
Sure. Containers are a really hot technology right now. They're extremely popular and ubiquitous.
Every organization is using containers to build applications faster and in a more efficient way and, they are kind of, you know, this, essential building blocks of digital transformation and, of the cloud native ecosystem as a whole.
So precisely because they are so popular and everywhere, containers and container images have become a really popular and common target for, malicious actors and here, for example, are some key stats and most of them are coming from our in house threat research team, Aquanotelas.
That's, the team that's exclusively focused on cloud native landscape. They, detect and analyze, you know, thousands of attacks every single day.
So, what we are seeing, what are the main trends? We are seeing that attacks are becoming more and more sophisticated.
Attackers are getting, you know, smarter and smarter.
They don't wanna get caught, obviously, and, they are trying to use more advanced techniques to evade detection.
For example, they are using, bagged doors and filers malware.
All the strands are on the rise currently.
And, also they are trying to, you know, hide malware inside, public container images on services like Docker Hub.
They're trying to make it innocent looking and to trick developers into downloading, these images.
And, this is especially dangerous because this malware only manifests at run time, and it's really hard to detect before deployment.
I completely agree with you, Elena, on that. That's exactly what we are seeing in the field as well with, with customers.
I think the number one threat is, or in the threat landscape are going to be the supply chain threats that are a a big concern for organizations.
The the first big part of it is really container images that serve developers and DevOps teams as base images.
Those are the number one, corrupted data that is coming from the outside into, organizations. But there are other, techniques that we see a lot of. Like, typosquatting, for example, is a very simple yet very efficient attack technique that is also exploiting human oversight, or even malicious packages in public repos sometimes matching, the same names that are in private repos. That's another very common trend. So generally speaking, I would say, cloud native applications are comprised of, a major part of third party components, open source libraries, which makes it easier for hackers to leverage supply chain attacks.
Exactly. And, just to add to your point that why their swarm are dangerous because, in most cases, they are only detected, by relating the process, only at run time. And, you know, this is more risky for organizations, and it, increases the cost of, you know, dealing with, incidents in production.
Indeed. What do you think organizations are doing today to detect these container risks before deploying into production in your opinion?
Well, historically, security teams are using vulnerability scanning tools to detect risks in their container images and, these tools are great, you know, they detect many kinds of risks such as, you know, known vulnerabilities and known malware and, sensitive data, invalid secrets, misconfigurations such as, for example, a root user in the container.
Swarm, like, ViaTak will also provide a really great vulnerability scanner, which is called Aqua Trivy, and, like, it's open source. You can start using it right away.
Mhmm. I can sense there is a bots coming.
Yes.
Yes. You're right.
These tools are great, but, the truth is they don't detect they detect only a portion of the risks, in container images. There are many, other types, more advanced to threats and that they are not able to identify such as, for example, bad network communication, other types of malware, containerscapes, some, backdoors, fileless malware, and so on. So, the bottom line is that vulnerability scanning is, a great foundation for your container security, But, alone, it's not enough, and it can't protect you from more advanced threats.
I agree with you once again. And and, actually, that's exactly why we, as Aqua, as a company, we built dynamic threat analysis, DTA for short, precisely to counter these dynamic threats and to complement what we are doing with static scanning.
And that's a great meme, that we have there. Drake is, not always right for those who know him in his songs, but at least, here he's spot on.
The the main goal is, not to find malware in running containers, is to not find malware at all.
But, when we need to validate the, external components, the third party components, then we would rather do it before production indeed.
Yeah. I'm sure if Drake was, dealing with these container images, he would be a real fan of DTE.
Indeed. So, Elena, can you tell us a little bit about how, DTA was created initially?
Happy to, Swarm.
Initially, DTA was born inside our threat research team, inside Aquanautilus.
It was created to, you know, observe for, container attacks and to catch these malicious and suspicious processes inside container images.
And now it's, you know, it's officially patented sandbox technology and, the beauty of DTA is that it uses this advanced behavioral, based detection. It's not only signature based, but it analyzes the behavior of, malicious elements.
So, and, you know, the cherry on top is that, it's works pre deployment.
So you are able to catch the sophisticated threats, before you're actually deploying your applications to production.
Yeah. The DCA is really unique. And, if I remember correctly, I think the team, has identified many zero day attacks thanks to the same technology. So as you as you mentioned, it goes beyond the traditional malware scanner.
And, it's it's also, sometimes mixed or confused with what we call DaaS in in the cybersecurity markets, which stands for dynamic application security testing. So it's not exactly like it, but would be complementary to it. DaaS is rather a technology that evaluates dynamically the application layer, while DTA will, will look into, the container level and, the different threats that can happen on the runtime level but before production, and we'll see how how that works in in few few minutes.
Yeah. You know, this sounds really cool. Can you like, I'm wondering how it works under the pool. Can you, show how the tape works?
Yeah. Sure. Let's check it out together through this slide.
So, basically, the first step that, we see here is, container images that serve as, base images sometimes are stored in registries.
External registries most of the time, like Docker Hub, for example. So developers and DevOps teams will often pull container images that are stored in Docker Hub.
What DTA will help them do is, take those container images that are coming from Docker Hub and emulate a container based on those container images in order to monitor their behaviors, or their behavior in runtime.
And basically what DTA does is it recreates our runtime environments for those external images to run, and DTA applies different sets of controls to identify or unexpected behaviors.
And these external container images can be designed sometimes to leave, backdoors, in order to come back later on to drop some crypto miners so that as soon as you start the container in production, it's task consuming resources that users are, paying for.
Sometimes it's rather rather to escape, the container itself in order to go to additional resources.
And the ultimate goal with DTA is to be able to identify those threats, but also to map them against the MITRE attack framework so that they are prioritized, they are classified in order to help security professionals and, in some cases, the SOC engineers specifically in order to validate the difference, indicators of compromise that they could have inside their organization.
And it helps, obviously, DevOps and DevSecOps teams to validate those third party container images.
And after all, we will build, the attack kill chain so that we can understand exactly what that container image coming from the outside is doing.
We can, build reports around it to to show to different teams. Once again, SOC teams, but also security teams in general, in order to validate anything that is coming from the outside and avoid supply chain attacks.
That, sounds really awesome.
I now understand how it works and how it catches this, you know, evasive and sophisticated stress.
But how likely it is to happen in real life? Maybe you have an example to share with us.
It's it's a great transition to to my next slides.
I have a perfect example that's happened not so lot long time ago, but, simplified, this was an attack that's happened with a fake Ubuntu, Docker Hub repo that was called Ubuntu with a z, at the end that was created to dupe users, looking for the real Ubuntu images. And so basically, what it does is, as soon as you pull it and you run it inside, your runtime environments, it would download a cryptocurrency miner from GitHub during runtime. So, basically, it would be it would look legit, to firewall, solutions, to other security platforms.
And the reality is that, we've seen that, this specific, or these specific images were actually pulled and used, over three hundred thousand times, which is huge.
And this basically evades, all the static analysis or all the static security scanning that we could do. So here, it's a perfect example, where DTA can bring value before we find surprises in production.
Thanks for sharing. It's a really great example, of how this attacks, can spread and reach a really, high scale.
And by the way, if, you would like to get more details about this attack or just to say update it on the threat landscape, you're welcome to subscribe to the Apple blog. We regularly publish, new threat alerts there and other content as well.
So I think now is a perfect time to, finally show DTE in action to our audience. Don't you think?
Of course.
We'll take you through a case study where DTA can help prevent any risks from going from the pipelines or the build environments that you're having into runtime environments.
And in this case, we'll look into how we can scan, a container image that is coming from the outside, that can be used inside the pipelines, to prevent attacks from happening later on in the process.
Okay. So welcome to the AQO platform where we'll be showcasing dynamic threat analysis specifically on the case study of validating container images that are coming from the outside.
And here you will see that we have the whole list of all the images that are statically scanned. So if we take this example here, you can easily see which image we have scanned, whether it's compliant or non compliant against our, assurance policies, You can easily see all the vulnerabilities that were identified, whether we have any secret in there, and if we have any hard coded malware as well. Now we want to have, beyond the static scanning that we're doing here, we want to look at a specific image that is coming from the outside, and you can easily look into it by checking on the right side here that it's coming from Docker Hub. And we look into this specific image where we don't have any critical vulnerabilities. We have some other, severities for vulnerabilities.
So we'll look into it a little bit more in detail. And here you can easily see that the image is noncompliance and is noncompliance because of one specific policy, and that is dynamic threat analysis while being compliant to the three other policies that we see here.
So we could check this specific image and say, this is free of critical relavities.
It's free of malware and it's free of sensitive data. So we are good to go. However, we can see that one specific control, and that is dynamic threat analysis has failed.
Now let's look at the Verma b t's first just to give you a quick example on how we can look into the vulnerabilities and think that this is safe. This is, a valid image that we can add our application code into.
We don't have any critical vulnerabilities.
But when we look at the dynamic threat analysis tab, we can see that we have a lot of different risks, although we don't have any critical of diabetes.
So first of all, what we do here is we take that image that we scan statically that doesn't have any critical diabetes, and we emulate a container in a runtime environment in a secure sandbox in order to monitor and identify any suspicious behaviors.
And for this specific image, I will start with the right side here, weaponization, where we can see that we have different indicators of compromise, and one of them is a payload that is dropped and executed during run time, which should not happen, which which is not expected from this specific image.
And we can look into another category of collection and exfiltration, for example, where we see that that executable that was dropped in memory is actually a malware, a known malware.
And specifically, it's a crypto miner that is running, and we can see here that it's XMR miner. We can see the evidence with its hash, with its signature that we can see here. And we map it, as we mentioned before, to the, MITRE categories or MITRE attack framework categories so that we can easily, classify it and prioritize it. And this specific malware that we see here, CryptoMiner, will be also communicating or having communications that are not expected with different types of, domain names that are prohibited that could be, command and control servers. And we see here that we have a communication with Shodan, for example, where we have also the geolocation of all the communications that are happening.
So this specific image is noncompliant because of dynamic threat analysis, but could be completely valid from a static scanning perspective.
And these specific scan, static and dynamic can happen within the pipeline to prevent the risks from moving from one stage to the other in the application life cycle.
Thank you. That was a really powerful demo.
I think we are moving to the end of our webinar today.
Let's now sum it up for our audience.
What, I Dtale brings a lot of benefits to security teams.
For example, it helps, you know, detect this, evasive and malicious threats, before deployment.
And so this way prevent, you know, any attacks and that any actual incidents in production?
It also helps validate artifacts. So any image that is coming from the outside before adding any application code into it, it will be validated with static scanning, but also dynamic threat analysis so that we can look into both sides of the security posture of that can that base image.
And it also helps reduce, the attack surface, by finding and, you know, addressing this this risks early in the application life cycle, you are able to, you know, reduce attack surface and protect, better your running applications.
It will also help you simplify, identification of all indicators of compromise, especially for the SOC teams, the DevSecOps teams looking to validate artifacts as well. And it will make, the SOC teams' lives easier for investigation afterwards.
Yeah. As you said, for SOC teams, it brings a lot of value. It helps, you know, visualize the entire kill chain of a potential attack and this way kind of contains this attack and minimize its impact and like make sure it doesn't spread further. And, in conclusion, all threats are going to be caught and BTA will help us do it. Thanks everyone for joining.
Thanks everyone for joining, and thank you, Joe, for having us.
Together, we'll showcase Aqua's patented dynamic threat analysis, better known as DTA, which is a very powerful tool that helps DevSecOps teams to analyze container images, their runtime behavior, predeployment, forwarding malicious threats from impacting live applications. Throughout this video, you'll gain insights into the escalating threat of software supply chain attacks through public container images, real world case studies where DTA has helped organizations mitigate supply chain risks, enhance forensics, and bolster security postures. DTA's unique patented technology demonstrated live for you to showcase its superiority and catching unknown malicious behavior, and we'll share some actual tips that have been derived from our extensive experience in aiding numerous organizations to build robust container security programs.
So enjoy the session. Ask questions as we uncover the strategies and technologies that are crucial for protecting your container images against sophisticated threats. Let's get into it.
Thank you, Joe, for having us.
Ali, I have a question for you. Do you know what's one common thing between, these three pictures?
I know you've asked me to review my movie culture, Lena, but I have no idea what those have in common.
No worries. I'll explain it for you. So the first one is Frank Abagnale junior. It's the main character of the famous movie Catch Me If You Can with, Leo DiCaprio.
It's, a real man, it's a real person, and, he's a notorious con artist in all American history. History. The second one is Golden Snitch. It's the fastest and the smallest, ball used in Quidditch. It's from Harry Potter.
And the last one, but not the least, is, the Higgs boson. It's an elementary particle. It was a long searched form and the discovery, of this particle brought a Nobel Prize in physics. So do you have any ideas now?
Oh, wow. That last one was really technical.
I think I now get it. The the common theme around them is probably that they were all hard to catch?
Exactly. You're right. Storm, all the saints, all these persons and particles were really hard to catch. And, the same way as, you know, modern threats that are targeting container environments today, they are also really hard to catch.
Before we jump into the threat landscape, Lena, can you maybe remind us why containers are so important for modern organizations? Why do they matter, basically?
Sure. Containers are a really hot technology right now. They're extremely popular and ubiquitous.
Every organization is using containers to build applications faster and in a more efficient way and, they are kind of, you know, this, essential building blocks of digital transformation and, of the cloud native ecosystem as a whole.
So precisely because they are so popular and everywhere, containers and container images have become a really popular and common target for, malicious actors and here, for example, are some key stats and most of them are coming from our in house threat research team, Aquanotelas.
That's, the team that's exclusively focused on cloud native landscape. They, detect and analyze, you know, thousands of attacks every single day.
So, what we are seeing, what are the main trends? We are seeing that attacks are becoming more and more sophisticated.
Attackers are getting, you know, smarter and smarter.
They don't wanna get caught, obviously, and, they are trying to use more advanced techniques to evade detection.
For example, they are using, bagged doors and filers malware.
All the strands are on the rise currently.
And, also they are trying to, you know, hide malware inside, public container images on services like Docker Hub.
They're trying to make it innocent looking and to trick developers into downloading, these images.
And, this is especially dangerous because this malware only manifests at run time, and it's really hard to detect before deployment.
I completely agree with you, Elena, on that. That's exactly what we are seeing in the field as well with, with customers.
I think the number one threat is, or in the threat landscape are going to be the supply chain threats that are a a big concern for organizations.
The the first big part of it is really container images that serve developers and DevOps teams as base images.
Those are the number one, corrupted data that is coming from the outside into, organizations. But there are other, techniques that we see a lot of. Like, typosquatting, for example, is a very simple yet very efficient attack technique that is also exploiting human oversight, or even malicious packages in public repos sometimes matching, the same names that are in private repos. That's another very common trend. So generally speaking, I would say, cloud native applications are comprised of, a major part of third party components, open source libraries, which makes it easier for hackers to leverage supply chain attacks.
Exactly. And, just to add to your point that why their swarm are dangerous because, in most cases, they are only detected, by relating the process, only at run time. And, you know, this is more risky for organizations, and it, increases the cost of, you know, dealing with, incidents in production.
Indeed. What do you think organizations are doing today to detect these container risks before deploying into production in your opinion?
Well, historically, security teams are using vulnerability scanning tools to detect risks in their container images and, these tools are great, you know, they detect many kinds of risks such as, you know, known vulnerabilities and known malware and, sensitive data, invalid secrets, misconfigurations such as, for example, a root user in the container.
Swarm, like, ViaTak will also provide a really great vulnerability scanner, which is called Aqua Trivy, and, like, it's open source. You can start using it right away.
Mhmm. I can sense there is a bots coming.
Yes.
Yes. You're right.
These tools are great, but, the truth is they don't detect they detect only a portion of the risks, in container images. There are many, other types, more advanced to threats and that they are not able to identify such as, for example, bad network communication, other types of malware, containerscapes, some, backdoors, fileless malware, and so on. So, the bottom line is that vulnerability scanning is, a great foundation for your container security, But, alone, it's not enough, and it can't protect you from more advanced threats.
I agree with you once again. And and, actually, that's exactly why we, as Aqua, as a company, we built dynamic threat analysis, DTA for short, precisely to counter these dynamic threats and to complement what we are doing with static scanning.
And that's a great meme, that we have there. Drake is, not always right for those who know him in his songs, but at least, here he's spot on.
The the main goal is, not to find malware in running containers, is to not find malware at all.
But, when we need to validate the, external components, the third party components, then we would rather do it before production indeed.
Yeah. I'm sure if Drake was, dealing with these container images, he would be a real fan of DTE.
Indeed. So, Elena, can you tell us a little bit about how, DTA was created initially?
Happy to, Swarm.
Initially, DTA was born inside our threat research team, inside Aquanautilus.
It was created to, you know, observe for, container attacks and to catch these malicious and suspicious processes inside container images.
And now it's, you know, it's officially patented sandbox technology and, the beauty of DTA is that it uses this advanced behavioral, based detection. It's not only signature based, but it analyzes the behavior of, malicious elements.
So, and, you know, the cherry on top is that, it's works pre deployment.
So you are able to catch the sophisticated threats, before you're actually deploying your applications to production.
Yeah. The DCA is really unique. And, if I remember correctly, I think the team, has identified many zero day attacks thanks to the same technology. So as you as you mentioned, it goes beyond the traditional malware scanner.
And, it's it's also, sometimes mixed or confused with what we call DaaS in in the cybersecurity markets, which stands for dynamic application security testing. So it's not exactly like it, but would be complementary to it. DaaS is rather a technology that evaluates dynamically the application layer, while DTA will, will look into, the container level and, the different threats that can happen on the runtime level but before production, and we'll see how how that works in in few few minutes.
Yeah. You know, this sounds really cool. Can you like, I'm wondering how it works under the pool. Can you, show how the tape works?
Yeah. Sure. Let's check it out together through this slide.
So, basically, the first step that, we see here is, container images that serve as, base images sometimes are stored in registries.
External registries most of the time, like Docker Hub, for example. So developers and DevOps teams will often pull container images that are stored in Docker Hub.
What DTA will help them do is, take those container images that are coming from Docker Hub and emulate a container based on those container images in order to monitor their behaviors, or their behavior in runtime.
And basically what DTA does is it recreates our runtime environments for those external images to run, and DTA applies different sets of controls to identify or unexpected behaviors.
And these external container images can be designed sometimes to leave, backdoors, in order to come back later on to drop some crypto miners so that as soon as you start the container in production, it's task consuming resources that users are, paying for.
Sometimes it's rather rather to escape, the container itself in order to go to additional resources.
And the ultimate goal with DTA is to be able to identify those threats, but also to map them against the MITRE attack framework so that they are prioritized, they are classified in order to help security professionals and, in some cases, the SOC engineers specifically in order to validate the difference, indicators of compromise that they could have inside their organization.
And it helps, obviously, DevOps and DevSecOps teams to validate those third party container images.
And after all, we will build, the attack kill chain so that we can understand exactly what that container image coming from the outside is doing.
We can, build reports around it to to show to different teams. Once again, SOC teams, but also security teams in general, in order to validate anything that is coming from the outside and avoid supply chain attacks.
That, sounds really awesome.
I now understand how it works and how it catches this, you know, evasive and sophisticated stress.
But how likely it is to happen in real life? Maybe you have an example to share with us.
It's it's a great transition to to my next slides.
I have a perfect example that's happened not so lot long time ago, but, simplified, this was an attack that's happened with a fake Ubuntu, Docker Hub repo that was called Ubuntu with a z, at the end that was created to dupe users, looking for the real Ubuntu images. And so basically, what it does is, as soon as you pull it and you run it inside, your runtime environments, it would download a cryptocurrency miner from GitHub during runtime. So, basically, it would be it would look legit, to firewall, solutions, to other security platforms.
And the reality is that, we've seen that, this specific, or these specific images were actually pulled and used, over three hundred thousand times, which is huge.
And this basically evades, all the static analysis or all the static security scanning that we could do. So here, it's a perfect example, where DTA can bring value before we find surprises in production.
Thanks for sharing. It's a really great example, of how this attacks, can spread and reach a really, high scale.
And by the way, if, you would like to get more details about this attack or just to say update it on the threat landscape, you're welcome to subscribe to the Apple blog. We regularly publish, new threat alerts there and other content as well.
So I think now is a perfect time to, finally show DTE in action to our audience. Don't you think?
Of course.
We'll take you through a case study where DTA can help prevent any risks from going from the pipelines or the build environments that you're having into runtime environments.
And in this case, we'll look into how we can scan, a container image that is coming from the outside, that can be used inside the pipelines, to prevent attacks from happening later on in the process.
Okay. So welcome to the AQO platform where we'll be showcasing dynamic threat analysis specifically on the case study of validating container images that are coming from the outside.
And here you will see that we have the whole list of all the images that are statically scanned. So if we take this example here, you can easily see which image we have scanned, whether it's compliant or non compliant against our, assurance policies, You can easily see all the vulnerabilities that were identified, whether we have any secret in there, and if we have any hard coded malware as well. Now we want to have, beyond the static scanning that we're doing here, we want to look at a specific image that is coming from the outside, and you can easily look into it by checking on the right side here that it's coming from Docker Hub. And we look into this specific image where we don't have any critical vulnerabilities. We have some other, severities for vulnerabilities.
So we'll look into it a little bit more in detail. And here you can easily see that the image is noncompliance and is noncompliance because of one specific policy, and that is dynamic threat analysis while being compliant to the three other policies that we see here.
So we could check this specific image and say, this is free of critical relavities.
It's free of malware and it's free of sensitive data. So we are good to go. However, we can see that one specific control, and that is dynamic threat analysis has failed.
Now let's look at the Verma b t's first just to give you a quick example on how we can look into the vulnerabilities and think that this is safe. This is, a valid image that we can add our application code into.
We don't have any critical vulnerabilities.
But when we look at the dynamic threat analysis tab, we can see that we have a lot of different risks, although we don't have any critical of diabetes.
So first of all, what we do here is we take that image that we scan statically that doesn't have any critical diabetes, and we emulate a container in a runtime environment in a secure sandbox in order to monitor and identify any suspicious behaviors.
And for this specific image, I will start with the right side here, weaponization, where we can see that we have different indicators of compromise, and one of them is a payload that is dropped and executed during run time, which should not happen, which which is not expected from this specific image.
And we can look into another category of collection and exfiltration, for example, where we see that that executable that was dropped in memory is actually a malware, a known malware.
And specifically, it's a crypto miner that is running, and we can see here that it's XMR miner. We can see the evidence with its hash, with its signature that we can see here. And we map it, as we mentioned before, to the, MITRE categories or MITRE attack framework categories so that we can easily, classify it and prioritize it. And this specific malware that we see here, CryptoMiner, will be also communicating or having communications that are not expected with different types of, domain names that are prohibited that could be, command and control servers. And we see here that we have a communication with Shodan, for example, where we have also the geolocation of all the communications that are happening.
So this specific image is noncompliant because of dynamic threat analysis, but could be completely valid from a static scanning perspective.
And these specific scan, static and dynamic can happen within the pipeline to prevent the risks from moving from one stage to the other in the application life cycle.
Thank you. That was a really powerful demo.
I think we are moving to the end of our webinar today.
Let's now sum it up for our audience.
What, I Dtale brings a lot of benefits to security teams.
For example, it helps, you know, detect this, evasive and malicious threats, before deployment.
And so this way prevent, you know, any attacks and that any actual incidents in production?
It also helps validate artifacts. So any image that is coming from the outside before adding any application code into it, it will be validated with static scanning, but also dynamic threat analysis so that we can look into both sides of the security posture of that can that base image.
And it also helps reduce, the attack surface, by finding and, you know, addressing this this risks early in the application life cycle, you are able to, you know, reduce attack surface and protect, better your running applications.
It will also help you simplify, identification of all indicators of compromise, especially for the SOC teams, the DevSecOps teams looking to validate artifacts as well. And it will make, the SOC teams' lives easier for investigation afterwards.
Yeah. As you said, for SOC teams, it brings a lot of value. It helps, you know, visualize the entire kill chain of a potential attack and this way kind of contains this attack and minimize its impact and like make sure it doesn't spread further. And, in conclusion, all threats are going to be caught and BTA will help us do it. Thanks everyone for joining.
Thanks everyone for joining, and thank you, Joe, for having us.
Watch Next
