Deepfence is setting a very high bar in the Cloud Native Workload Protection (CNWP) space. Their offering is purpose built for protecting your internet connected containerized workloads. This is a tool built for the Information Security teams that have to protect production environments.
I love it when companies have a live sandbox environments that you can play around in!
To access Deepfence’s ThreatStryker Sandbox sign up here
I will be going over some cool stuff that I saw in the Sandbox and providing a hyperlink so you can follow along too.
Alerts
The alert overview screen lets you see actual attacks on your infrastructure
https://threatstryker.deepfence.show/#/alert
Viewing the list of alerts I spotted what looked like a web request that led to execution of shell /bin/sh!
![](https://brakertech.com/wp-content/uploads/2022/05/image-16-1024x789.png)
Opening up the alert there is a lot of detail, including the full HTTP body!
![](https://brakertech.com/wp-content/uploads/2022/06/image.png)
This is interesting, but it is unclear is the shell actually executed. I think i may need to check my logs to determine that. Let’s keep scrolling down….
There is a graph showing various hits for different attack techniques… one is a high level alert for Lateral Movement!
LATERAL MOVEMENT ALERT!!!
![](https://brakertech.com/wp-content/uploads/2022/05/image-19-1024x624.png)
After double clicking the red dot in the “Lateral Movement” row, we are brought to the Trojan alert details. I love the detail here but i’m not sure if the system actually executed the payload. I would need to look at the system logs
![](https://brakertech.com/wp-content/uploads/2022/05/image-20-1024x763.png)
![](https://brakertech.com/wp-content/uploads/2022/05/image-21-1024x763.png)
Vulnerabilities
I like that Deepfence shows the most vulnerable attack paths
https://threatstryker.deepfence.show/#/vulnerability/vulnerabilities
![](https://brakertech.com/wp-content/uploads/2022/05/image-24-1024x699.png)
Clicking the first item I see that a container is running that is susceptible to the log4j vulnerability.
![](https://brakertech.com/wp-content/uploads/2022/05/image-25-1024x763.png)
Topology
This is one of the coolest features of ThreatStryker. An interactive node graph of your environment, including calls to external environments!
https://threatstryker.deepfence.show/#/topology/cloud
Let’s Click some nodes!
AWS Node
It appears that we have a few arrows going to AWS, and AWS is talking to the internet and some third party services.
![](https://brakertech.com/wp-content/uploads/2022/05/image-10-1024x632.png)
Hosts Inside AWS
What’s this? We have infrastructure running in AWS?
Three hosts have been discovered:
![](https://brakertech.com/wp-content/uploads/2022/05/image-9-1024x609.png)
Double clicking “deepfence-poc-agent-1” reveals three containers running on the host
![](https://brakertech.com/wp-content/uploads/2022/05/image-12-1024x599.png)
Container info
Double clicking on the “wordpress_wordpress_1” container reveals some information in the frame on the right of the page. I can see a breakdown of vulnerabilities by severity, a list of processes running, and the docker labels.
![](https://brakertech.com/wp-content/uploads/2022/05/image-13-1024x762.png)
Double clicking on the vulnerabilities graphic brings up a list of vulnerabilities for this container
![](https://brakertech.com/wp-content/uploads/2022/05/image-14-1024x635.png)
Selecting a vulnerability from the list we get some info
![](https://brakertech.com/wp-content/uploads/2022/05/image-15-1024x764.png)
Container Scanning
Scanning containers as they are built and before deployment is always a good idea. Deepfence supports many registries:
https://threatstryker.deepfence.show/#/registry_vulnerability_scan
![](https://brakertech.com/wp-content/uploads/2022/05/image-3.png)
Integrity Monitoring
You can create custom rules to alert on file modification or access to specific paths on disk
https://threatstryker.deepfence.show/#/topology/cloud
![](https://brakertech.com/wp-content/uploads/2022/05/image-4.png)
![](https://brakertech.com/wp-content/uploads/2022/05/image-5.png)
Secrets
I like that Deepfence will look for secrets on the disk of the containers
https://threatstryker.deepfence.show/#/secret-scan/scans
Below is an overview of the secrets found
![](https://brakertech.com/wp-content/uploads/2022/05/image-28-1024x763.png)
I click on the Private Key slice
I then bring up a list of findings for one of the containers and find the row I am interested in
![](https://brakertech.com/wp-content/uploads/2022/05/image-29-1024x763.png)
The signature found something, but it wasn’t useful as that is the ssh key that runs sshd
![](https://brakertech.com/wp-content/uploads/2022/05/image-30-1024x763.png)