This technical deep dive highlights key capabilities released as part of Twistlock 2.5. To learn more about what’s included with Twistlock 2.5, check out our full release blog post.

Responding to security incidents in a containerized environment represents a challenge for traditional security organizations and incident responders. Traditional tools and methods, such as disk and memory imaging, apply poorly, if at all; additionally, because containers are stateless and potentially ephemeral, the container where an incident occurred may no longer exist at the point the issue is identified. Thus, responders may not be able to gather artifacts directly from the resources involved.

In Twistlock 2.5, we are turning this challenge into an opportunity to enable IR teams in cloud native environments with the introduction of a distributed forensics framework. This framework includes a flight data recorder running on each node protected by Twistlock. This recorder keeps a rolling log of telemetry about running containers and, when a potential incident is detected, Twistlock retains relevant data for analysis. Combined with the data available in Incident Explorer, this enables responders to quickly triage an event, investigating the risk to the container, the host, and the environment.

Assessing risk

Here is a sample incident:

From here, we can quickly assess configuration and vulnerability risks. For example, we could see if the container is scheduled to run privileged, which would represent a risk of a breakout to the host. In this case, sensitive data (our MySQL password) is exposed in an environment variable:

We can also triage vulnerabilities in the image that the container is based on, helping us understand potential vectors of attack:

Finally, we can see how the container fits into the larger environment. This container has access to our MySQL container; however, it also has access to our HashiCorp Vault, which may represent a very serious risk. While compromise of a web app and database may result in the loss of data within that application, compromise of the secrets vault probably threatens data across the entire ecosystem.

Flight data recorder: Viewing forensic data

From here, we can also access a view of the flight data that was recorded for the container where the potential incident was detected. In the Twistlock Console, we can see an abbreviated (500 lines) view; however, we can also download a fuller set of data for analysis.

In this incident, a Struts2 vulnerability was used to compromise a running container. In the forensic data, we can walk through and reconstruct various actions that the attackers took:

In this snippet, we can see that /etc/password was copied and exfiltrated (by using curl to send it to an external website).

Conclusion

While containers represent disruption to many incident response approaches, Twistlock 2.5 provides responders with the ability to automate gathering relevant data automatically and at scale. By integrating cloud native forensics with Incident Explorer, we hope to enable a more comprehensive, autonomous, and actionable approach to IR.

To learn more about how Twistlock secures your applications, check out some of my related blog posts:

← Back to All Posts Next Post →