Category: AWS

Deepfence Cloud Native Workload Protection for InfoSec Pros

Deepfence is setting a very high bar in the Cloud Native Workload Protection (CNWP) space. Their offering is purpose built for protecting your internet connected containerized workloads. This is a tool built for the Information Security teams that have to protect production environments.

I love it when companies have a live sandbox environments that you can play around in!

To access Deepfence’s ThreatStryker Sandbox sign up here

I will be going over some cool stuff that I saw in the Sandbox and providing a hyperlink so you can follow along too.

Alerts

The alert overview screen lets you see actual attacks on your infrastructure

https://threatstryker.deepfence.show/#/alert

Viewing the list of alerts I spotted what looked like a web request that led to execution of shell /bin/sh!

Opening up the alert there is a lot of detail, including the full HTTP body!

This is interesting, but it is unclear is the shell actually executed. I think i may need to check my logs to determine that. Let’s keep scrolling down….

There is a graph showing various hits for different attack techniques… one is a high level alert for Lateral Movement!

LATERAL MOVEMENT ALERT!!!

After double clicking the red dot in the “Lateral Movement” row, we are brought to the Trojan alert details. I love the detail here but i’m not sure if the system actually executed the payload. I would need to look at the system logs

Vulnerabilities

I like that Deepfence shows the most vulnerable attack paths

https://threatstryker.deepfence.show/#/vulnerability/vulnerabilities

Clicking the first item I see that a container is running that is susceptible to the log4j vulnerability.

Topology

This is one of the coolest features of ThreatStryker. An interactive node graph of your environment, including calls to external environments!

https://threatstryker.deepfence.show/#/topology/cloud

Let’s Click some nodes!

AWS Node

It appears that we have a few arrows going to AWS, and AWS is talking to the internet and some third party services.

Hosts Inside AWS

What’s this? We have infrastructure running in AWS?

Three hosts have been discovered:

Double clicking “deepfence-poc-agent-1” reveals three containers running on the host

Container info

Double clicking on the “wordpress_wordpress_1” container reveals some information in the frame on the right of the page. I can see a breakdown of vulnerabilities by severity, a list of processes running, and the docker labels.

Double clicking on the vulnerabilities graphic brings up a list of vulnerabilities for this container

Selecting a vulnerability from the list we get some info

Container Scanning

Scanning containers as they are built and before deployment is always a good idea. Deepfence supports many registries:

https://threatstryker.deepfence.show/#/registry_vulnerability_scan

Integrity Monitoring

You can create custom rules to alert on file modification or access to specific paths on disk

https://threatstryker.deepfence.show/#/topology/cloud

Secrets

I like that Deepfence will look for secrets on the disk of the containers

https://threatstryker.deepfence.show/#/secret-scan/scans

Below is an overview of the secrets found

I click on the Private Key slice

I then bring up a list of findings for one of the containers and find the row I am interested in

The signature found something, but it wasn’t useful as that is the ssh key that runs sshd

AWS Systems Manager Session Manager on Steroids

Benefits of AWS Systems Manager Session Manager

AWS Systems Manager Session Manager (SSM) has many benefits to secure remote connections:

  • Inbound ports do not need to be open
  • SSH keys are not required
  • Access can be defined in IAM policies
  • Works with regular AWS command line Single Sign On (SSO) + Multi Factor Authentication (MFA) (triggered via Single Sign on)

Shortcomings

  • SSH sessions are not recorded
  • IAM (Identity Access Manager) Policies are not user friendly
  • A SSO provider compromise could leave your infrastructure vulnerable

Enhancing Security

Use something like a Yubikey would improve your security when connecting to to SSM

Fixing all the Shortcomings (and Enhanced Security)

I recently became aware of BastionZero, which has fixed these problems. 

Additional Independent MFA

Their product adds an additional independent MFA to the authentication process.  This means if Okta (for example) were compromised, or your employee was a victim of credential stuffing + MFA Push bombing, your infrastructure stays secure (as there is a separate, independent, MFA to Bastion Zero).

I put together a little video that shows how it works:

Targets

The BastionZero product is easy to deploy and will autodiscover your assets.

Policy Management

Their product also provides an easy way to manage which end users can access what asset (and role).

SSH Session Recording

Regular SSM does not record SSH sessions, but BastionZero does! Here is an example of how to view your recordings: