Deepfence is setting a very high bar in the Cloud Native Workload Protection (CNWP) space. Their offering is purpose built for protecting your internet connected containerized workloads. This is a tool built for the Information Security teams that have to protect production environments.
I love it when companies have a live sandbox environments that you can play around in!
To access Deepfence’s ThreatStryker Sandbox sign up here
I will be going over some cool stuff that I saw in the Sandbox and providing a hyperlink so you can follow along too.
Alerts
The alert overview screen lets you see actual attacks on your infrastructure
https://threatstryker.deepfence.show/#/alert
Viewing the list of alerts I spotted what looked like a web request that led to execution of shell /bin/sh!
Opening up the alert there is a lot of detail, including the full HTTP body!
This is interesting, but it is unclear is the shell actually executed. I think i may need to check my logs to determine that. Let’s keep scrolling down….
There is a graph showing various hits for different attack techniques… one is a high level alert for Lateral Movement!
LATERAL MOVEMENT ALERT!!!
After double clicking the red dot in the “Lateral Movement” row, we are brought to the Trojan alert details. I love the detail here but i’m not sure if the system actually executed the payload. I would need to look at the system logs
Vulnerabilities
I like that Deepfence shows the most vulnerable attack paths
https://threatstryker.deepfence.show/#/vulnerability/vulnerabilities
Clicking the first item I see that a container is running that is susceptible to the log4j vulnerability.
Topology
This is one of the coolest features of ThreatStryker. An interactive node graph of your environment, including calls to external environments!
https://threatstryker.deepfence.show/#/topology/cloud
Let’s Click some nodes!
AWS Node
It appears that we have a few arrows going to AWS, and AWS is talking to the internet and some third party services.
Hosts Inside AWS
What’s this? We have infrastructure running in AWS?
Three hosts have been discovered:
Double clicking “deepfence-poc-agent-1” reveals three containers running on the host
Container info
Double clicking on the “wordpress_wordpress_1” container reveals some information in the frame on the right of the page. I can see a breakdown of vulnerabilities by severity, a list of processes running, and the docker labels.
Double clicking on the vulnerabilities graphic brings up a list of vulnerabilities for this container
Selecting a vulnerability from the list we get some info
Container Scanning
Scanning containers as they are built and before deployment is always a good idea. Deepfence supports many registries:
https://threatstryker.deepfence.show/#/registry_vulnerability_scan
Integrity Monitoring
You can create custom rules to alert on file modification or access to specific paths on disk
https://threatstryker.deepfence.show/#/topology/cloud
Secrets
I like that Deepfence will look for secrets on the disk of the containers
https://threatstryker.deepfence.show/#/secret-scan/scans
Below is an overview of the secrets found
I click on the Private Key slice
I then bring up a list of findings for one of the containers and find the row I am interested in
The signature found something, but it wasn’t useful as that is the ssh key that runs sshd
