Deepfence Cloud Native Workload Protection for InfoSec Pros

May 21, 2022 ephemeral_security AWS, Podcast 0 Comments

Deepfence is setting a very high bar in the Cloud Native Workload Protection (CNWP) space. Their offering is purpose built for protecting your internet connected containerized workloads. This is a tool built for the Information Security teams that have to protect production environments.

I love it when companies have a live sandbox environments that you can play around in!

To access Deepfence’s ThreatStryker Sandbox sign up here

I will be going over some cool stuff that I saw in the Sandbox and providing a hyperlink so you can follow along too.

Alerts

The alert overview screen lets you see actual attacks on your infrastructure

https://threatstryker.deepfence.show/#/alert

Viewing the list of alerts I spotted what looked like a web request that led to execution of shell /bin/sh!

Opening up the alert there is a lot of detail, including the full HTTP body!

This is interesting, but it is unclear is the shell actually executed. I think i may need to check my logs to determine that. Let’s keep scrolling down….

There is a graph showing various hits for different attack techniques… one is a high level alert for Lateral Movement!

LATERAL MOVEMENT ALERT!!!

After double clicking the red dot in the “Lateral Movement” row, we are brought to the Trojan alert details. I love the detail here but i’m not sure if the system actually executed the payload. I would need to look at the system logs

Vulnerabilities

I like that Deepfence shows the most vulnerable attack paths

https://threatstryker.deepfence.show/#/vulnerability/vulnerabilities

Clicking the first item I see that a container is running that is susceptible to the log4j vulnerability.

Topology

This is one of the coolest features of ThreatStryker. An interactive node graph of your environment, including calls to external environments!

https://threatstryker.deepfence.show/#/topology/cloud

Let’s Click some nodes!

AWS Node

It appears that we have a few arrows going to AWS, and AWS is talking to the internet and some third party services.

Hosts Inside AWS

What’s this? We have infrastructure running in AWS?

Three hosts have been discovered:

Double clicking “deepfence-poc-agent-1” reveals three containers running on the host

Container info

Double clicking on the “wordpress_wordpress_1” container reveals some information in the frame on the right of the page. I can see a breakdown of vulnerabilities by severity, a list of processes running, and the docker labels.

Double clicking on the vulnerabilities graphic brings up a list of vulnerabilities for this container

Selecting a vulnerability from the list we get some info

Container Scanning

Scanning containers as they are built and before deployment is always a good idea. Deepfence supports many registries:

https://threatstryker.deepfence.show/#/registry_vulnerability_scan

Integrity Monitoring

You can create custom rules to alert on file modification or access to specific paths on disk

https://threatstryker.deepfence.show/#/topology/cloud

Secrets

I like that Deepfence will look for secrets on the disk of the containers

https://threatstryker.deepfence.show/#/secret-scan/scans

Below is an overview of the secrets found

I click on the Private Key slice

I then bring up a list of findings for one of the containers and find the row I am interested in

The signature found something, but it wasn’t useful as that is the ssh key that runs sshd

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.