A high-level overview of Container Threat Detection concepts and features.
What is Container Threat Detection?
Container Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors the state of container images, evaluating all changes and remote access attempts to detect runtime attacks in near-real time.
Container Threat Detection can detect the most common container runtime attacks and alert you in Security Command Center and optionally in Cloud Logging. Container Threat Detection includes several detection capabilities, an analysis tool, and an API.
How Container Threat Detection works
Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel. When events are detected:
Event information and information that identifies the container is passed for analysis through user mode to a detector service. Event export is configured automatically when Container Threat Detection is enabled.
The detector service analyzes events to determine whether an event is indicative of an incident.
If the detector service identifies an incident, the incident is written as a finding in Security Command Center, and optionally to Cloud Logging.
- If the detector service doesn't identify an incident, then finding information isn't stored.
- All data in the kernel and detector service is ephemeral and isn't persistently stored.
You can view finding details in the Security Command Center dashboard and investigate finding information.
Container Threat Detection detectors
Container Threat Detection includes the following detectors:
|Detector||Description||Inputs to detection|
|Added Binary Executed||
A binary that was not part of the original container image was executed.
If an added binary is executed by an attacker, it's a possible sign that an attacker has control of the workload and they are executing arbitrary commands.
|The detector looks for a binary being executed that was not part of the original container image, or was modified from the original container image.|
|Added Library Loaded||
A library that was not part of the original container image was loaded.
If an added library is loaded, it's a possible sign that an attacker has control of the workload and they are executing arbitrary code.
|The detector looks for a library being loaded that was not part of the original container image, or was modified from the original container image.|
A process started with stream redirection to a remote connected socket.
With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload to perform desired actions, for example, as part of a botnet.
|The detector looks for `stdin` bound to a remote socket.|