Docker Container vulnerability exploit and run-time protection demo
This presentation is for educational purpose only. The goal is to enable security team to start focusing on new emerging threat vector. In this presentation we are going to exploit container run time security and later we will learn how to protect the same with advanced threat mitigation tool (Trend Micro Deep security). We are explaining this scenario with red team and blue team security concept. Demo shows following scenarios. 1) Red Team demo: a. Exploiting containerized application over http/https (represents North-South traffic threat vector) b. One container is exploiting another container within same server (represents East-West traffic threat vector) 2) Blue team demo: Blue team has honeypot configured to catch latest threats. part 3 and 4 demo video will be showing the same. a. Protects container from getting exploited using DS IPS virtual patching (North-South traffic). b. Prevents attacker container to exploit victim container within same host (East-West traffic). Container image scanning is feature of Trend Micro Deep Security smart check. I have not covered the same. Smart check is useful to identify security threat at docker registry level. so you can mitigate security risk before image goes to production
More Related Content
Similar to Docker Container vulnerability exploit and run-time protection demo
Similar to Docker Container vulnerability exploit and run-time protection demo (20)
Recently uploaded
Recently uploaded (20)
Docker Container vulnerability exploit and run-time protection demo
- 1. Container runtime protection: Exploits running wild over North-South and East-West Traffic Tejas Sheth Cloud security architect at Trend Micro
- 2. This is How Red Team Rolls Lets see how attack works on containerized micro service application
- 3. VPC Public subnet Private subnet RDS DB EC2 with container Route53 DNS ELB Tomcat JAVA Struts App Bash IGW My Attacker system Exploit http/https NORTH-SOUTH Traffic
- 4. EC2 with container Tomcat JAVA App Bash EAST-WEST traffic threat demo Apache PHP App Bash veth veth Docker0 eth0 Compromised JAVA App container Victim static site target container Attack!! Network interface
- 5. Blue team: This is how you protect Run time protection
- 6. VPC Public subnet Private subnet RDS DB EC2 with container Route53 DNS ELB Tomcat JAVA Struts App Bash IGW My Attacker system Port 80/443 Port 8080 NORTH-SOUTH Traffic Protection
- 7. EC2 with container Tomcat JAVA App Bash EAST-WEST traffic threat protection Apache PHP App Bash veth veth Docker0 eth0 Compromised JAVA App container Victim static site target container Attack Blocked!! DSA
- 8. Key Takeaways Container runtime security is critical Containerized application exposes different threat vector, don’t mitigate risk with traditional tools
Editor's Notes
- In this presentation we are going to illustrate the attack by demonstrating how Red team identify threat and tries to exploit it, and what Blue team does for protection.
- Lets see how an vulnerable Docker image increases security risk. We have honeypot configured where we will exploit application in container. We will demonstrate how we are catching other threat actors from internet with honeypot configuration.
- We have setup VPC, route table, natgateway (click) - > EC2 instance in public subnet and DB in private (click) -> EC2 has 2 docker container running 1st container is with java application and has apache struts vulnerability (application published over port 8080) 2nd container has static web application but it has shellshock vulnerability in bash (application published over port 80) EC2 instance has ELB loadbalancer. We will be doing 2 types of attack and prevent at runtime. 1) We will do RCE from attacker machine to container runtime over web application port (8080 and 80) 2) We will do RCE from one container to another container in same EC2 to check the east west traffic protection.
- In next demo we will see the east-west traffic threat vector. We will be attacking vulnerable bash container from another application container (in same server). Since both the containers are in same server (east-west), traditional NIPS/HIPS will not be able to intercept traffic.
- Check out, how we can protect against security risk.
- Now we are going to protect the instance from malicious north-south traffic (click) - > attacks over port 8080 (struts exploit) and port 80 (shellshock) will be protected by deep security agent.
- In next demo we will see the east-west traffic threat vector. We will be attacking vulnerable bash container from another application container (in same server).