Rajesh Nikam, Qualys

In recent years, DevOps revolution around microservice architecture was boon for development of Enterprise software applications. Container technology provides best options of packaging and deploying applications. From security standpoint it gives isolation for these containerized applications and fundamentally more secure by default. However, it has also opened up new frontiers for cyber attackers to take advantage of these lucrative opportunities. As it was case when docker images were tampered for cryptomining and to provide reverse shell which went unnoticed for almost a year.

Implicit trust in Docker Hub, orchestration mechanisms and open public repositories with open source code ecosystem could be targeted by attackers to stage more sophisticated attacks where there is limited availability of security solutions. The security solutions are in early phases for this dynamic and evolving ecosystem.

In this paper, I will share practical approach how to create baseline for every container normal behavior using machine learning models using sensors based on communication with host environment and between clusters, access and privilege changes, application activities etc. Based on real world attack scenarios how these models could be used to detect behavior anomalies and kill-chain stages like lateral movement and data ex-filtration. This would help to identify zero-day attacks against docker ecosystem to make more secure.