Organizations are using containers to achieve new levels of efficiency and scalability in the cloud. However, this has increased the complexity of the attack surface they need to protect and has placed containers in the crosshairs of adversaries.

Container security starts with the container image. Developers sometimes use base images from an external registry to build their images. Unfortunately, these images can contain malware or vulnerable libraries. This reality makes it critical for organizations to prioritize image assessment as part of their cloud security strategy.

Common Types of Container Image Misconfigurations

Here are some typical security issues involving container images:

Using a root user account in containers

Running a container with root privileges increases the danger from attackers looking to compromise the host machine.

Using outdated, vulnerable, backdoored images

Attackers will take advantage of vulnerable or compromised images, so image scanning is a vital defense.

Unwanted users being part of a Docker group

If a user is part of a Docker group, it is possible to escalate their privileges to root access. This is a prime position for a threat actor.

Use of a privileged flag

Running a container with a privileged flag gives users access to the host’s resources, which an attacker can abuse if the container is compromised.

Mounting sensitive host files or directories onto the container

Docker enables users to mount the host machine’s files and directories onto containers, which can increase the attack surface if the files are sensitive.

These and other misconfigurations involving Docker or Kubernetes represent a significant risk to organizations, and identifying them is a critical component of your cloud security strategy.

How Threat Actors Target Containers

Reducing risk requires knowing the threats your organization faces. In cloud environments, that includes understanding how containers are being targeted.

Criminal actors have periodically exploited improperly configured Docker containers. Docker images are templates used for creating containers. These images can be used either on a standalone basis for users to directly interact with a tool or service, or as the parent to another application. Because of this hierarchical mode, if an image has been modified to contain malicious tooling, any container derived from it will also be infected.

In 2021, CrowdStrike Intelligence reported on the malware family Doki, which uses containers as both an initial infection vector and as a means for parallel track tasking. Once malicious actors gain access, they can abuse these escalated privileges to accomplish lateral movement and then proliferate throughout the network. CrowdStrike Intelligence has also continued to track adversary operations involving the access and modification of constituent parts of Kubernetes clusters.

Kubernetes is an open-source container-orchestration system that automates the deployment, scaling and management of applications and their associated shared resources. The CrowdStrike threat hunting team has observed increasing adversary interest in Kubernetes clusters operating within corporate environments. The Kubernetes framework is a complex system comprising several constituent parts, allowing ample opportunity for misconfiguration that could provide an adversary with initial access to one component and subsequent lateral propagation opportunities that provide access to desired resources.

How to Protect Your Containers

Reduce attack surfaces in container images (like removing debugging tools)

To reduce the attack surface, enterprises need to focus on detecting vulnerabilities, malware, compliance violations and more, from build to runtime.

Perform vulnerability scanning as a part of container creation and staging processes to the container registry

Vulnerability scanning enables enterprises to catch security issues before they can be exploited by attackers.

Avoid using publicly shared container images

These images may be outdated or vulnerable, potentially introducing additional risk into your cloud environment.

Limit container privileges

Follow the principle of least privilege to ensure containers do not have excessive permissions.

Keeping cloud infrastructure safe requires security coverage throughout the CI/CD pipeline. By shifting security left and proactively assessing containers, CrowdStrike Cloud Security can help your organization reduce risk by identifying any vulnerabilities, embedded malware, stored secrets or other security issues before deployment.