Aqua Security Introduces Dynamic Threat Analysis for Containers, Mitigating Risks of Sophisticated Malware Attacks
April 24, 2020Aqua Security announced today Aqua Dynamic Threat Analysis (DTA), a new product offering that protects container-based environments against sophisticated malware that can only be detected using dynamic analysis of a running container, and available as an option within Aqua’s Cloud Native Security Platform (CSP). The company also announced enhancements to its CSPM SaaS platform (based on its acquisition of CloudSploit in 2019), which now includes Aqua DTA, image vulnerability scanning, and expanded support for cloud environments.
Aqua DTA is currently available in preview, with general availability expected later this quarter.
The Rising Threat of Image-Based Malware
Over the past year, the Aqua Security cyber research team has uncovered increasingly sophisticated attacks on containers that use obfuscation and evasion techniques to avoid detection by static scanners. Such attacks utilize novel, innocuous-looking images to embed their own code, which is often encrypted or deployed as polymorphic malware to avoid detection. The malicious behavior of the image can only be observed when it runs as a container.
“We’ve been seeing organized attacks that aim for cryptocurrency mining, credential theft, data exfiltration, or using containers for DDoS attacks.” says Amir Jerbi, CTO and co-founder of Aqua. “To achieve these objectives, the container will exhibit a variety of suspicious behaviors, such as unpacking malicious payloads during runtime, opening reverse shell, executing malware from memory to avoid detection, connecting to known command & control servers, and more. By identifying these behaviors before deploying images, Aqua DTA ‘shifts left’ what used to be done only as a late response to incidents during runtime,” he added.
Aqua DTA addresses these risks by automatically running images in a secure sandboxed environment, then analyzing, tracing, and classifying the detected behaviors. The sandbox prevents the malware from doing any harm to other workloads and resources on the host or network. Using Aqua DTA allows security and DevOps teams to improve the security of their software supply chain and reduce risk to runtime environments.
Aqua DTA is recommended to address the following needs:
- Approving public images and their open source packages – as part of the security policies of your software development life cycle (SDLC).
- Approving ISV’s third-party Images – scanning third-party images from independent software vendors before introducing them into the organization.
- Pre-production security gate – scanning release candidate images before they are promoted to production from CI/CD pipelines or registries, as an added layer of protection.
- Analysis and forensics – quickly analyzing image runtime behavior to understand anomalies or perform forensics after a suspected incident.
Within Aqua’s Cloud Native Security Platform, DTA can be configured to automatically scan only images within a specific scope, for example according to a label or within a named registry.
Combining CSPM and CWPP for Seamless Cloud-Native Security
Aqua has also revamped its cloud security posture management (CSPM) solution, following its acquisition of CloudSploit in 2019. The new solution is now called Aqua CSPM, and includes Preview versions of both Aqua DTA, as well as integrated container image vulnerability scanning based on Aqua’s Trivy open source scanner. The vulnerability scanner included in the preview currently supports AWS environments, with additional registry support planned throughout the year.
Aqua is the first and only solution that extends CSPM into cloud native security with an integrated offering that discovers container image registries, scans images for vulnerabilities, and detect hidden malware threats in a single, seamless workflow. These capabilities go beyond securing the cloud infrastructure to secure the applications running on it, typically the function of Cloud Workload Protection Platforms (CWPP).
In a recent report*, Gartner recommends that “SRM leaders looking to improve their cloud workload protection should: Consider a comprehensive cloud-native application protection platform that combines the needs mentioned above – container scanning, serverless scanning, CWPP and CSPM – in a single platform.”
The report names Aqua Security as one of three example vendors that converge CWPP and CSPM capabilities.
Additional recent enhancements to Aqua CSPM include:
- General Availability of its support for Google Cloud and Oracle Cloud environments
- Scanning of Terraform templates in addition to the previously available AWS CloudFormation templates, enhancing security control over Infrastructure-as-Code (IaC) tooling
- Automated GDPR compliance reports, facilitating compliance with the European privacy requirements