This page provides a high-level overview of Container Threat Detection concepts and features.
What is Container Threat Detection?
Container Threat Detection is a built-in service of Security Command Center that continuously monitors the state of Container-Optimized OS node images. The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time.
Container Threat Detection detects the most common container runtime attacks and alerts you in Security Command Center and, optionally, in Cloud Logging. Container Threat Detection includes several detection capabilities, including suspicious binaries and libraries, and uses natural language processing (NLP) to detect malicious Bash and Python code.
Container Threat Detection is available only with the Premium tier or Enterprise tier of Security Command Center.
How Container Threat Detection works
Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel and executed scripts. The following is the execution path when events are detected:
Container Threat Detection passes event information and information that identifies the container through a user mode DaemonSet to a detector service for analysis. Event collection is configured automatically when Container Threat Detection is enabled.
The watcher DaemonSet passes container information in a best effort manner. Container information can be dropped from the reported finding if the Kubernetes and the container runtime fail to deliver the corresponding container information in time.
The detector service analyzes events to determine whether an event is indicative of an incident. The Bash and Python scripts are analyzed with NLP to determine if the executed code is malicious.
If the detector service identifies an incident, the incident is written as a finding in Security Command Center and, optionally, to Cloud Logging.
- If the detector service doesn't identify an incident, then finding information isn't stored.
- All data in the kernel and detector service is ephemeral and isn't persistently stored.
You can view finding details in the Security Command Center console and investigate finding information. Your ability to view and edit findings is determined by the roles you are granted. For more information on Security Command Center roles, see Access control.
Considerations
Other security detection tools that are installed in your cluster can impair the performance of Container Threat Detection and cause it to malfunction. We recommend that you not have any other security detection tools installed in your cluster if the cluster is already protected by Container Threat Detection.
Container Threat Detection detectors
Container Threat Detection includes the following detectors:
| Detector | Description | Inputs to detection |
|---|---|---|
| Added Binary Executed |
A binary that was not part of the original container image was executed. If an added binary is executed by an attacker, it's a possible sign that an attacker has control of the workload and they are executing arbitrary commands. This detector is disabled by default. For instructions on how to enable it, see Testing Container Threat Detection. |
The detector looks for a binary being executed that was not part of the original container image, or was modified from the original container image. |
| Added Library Loaded |
A library that was not part of the original container image was loaded. If an added library is loaded, it's a possible sign that an attacker has control of the workload and they are executing arbitrary code. This detector is disabled by default. For instructions on how to enable it, see Testing Container Threat Detection. |
The detector looks for a library being loaded that was not part of the original container image, or was modified from the original container image. |
| Credential Access: Search Private Keys or Passwords |
A command was executed to search for private keys, passwords, or other sensitive credentials within the container environment, indicating a potential attempt to harvest authentication data. Attackers often search for credential files to gain unauthorized access to systems, escalate privileges, or move laterally within the environment. Detecting such activity is critical to preventing security breaches. |
This detector monitors for known commands used to locate private keys, passwords, or credential files. The presence of such searches within a containerized environment may suggest reconnaissance efforts or an active compromise. |
| Execution: Added Malicious Binary Executed |
A binary that meets the following conditions was executed:
If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
The detector looks for a binary being executed that was not part of the original container image, and was identified as malicious based on threat intelligence. |
| Execution: Added Malicious Library Loaded |
A library that meets the following conditions was loaded:
If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
The detector looks for a library being loaded that was not part of the original container image, and was identified as malicious based on threat intelligence. |
| Execution: Built in Malicious Binary Executed |
A binary that meets the following conditions was executed:
If a built in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image. |
The detector looks for a binary being executed that was included in the original container image, and was identified as malicious based on threat intelligence. |
| Execution: Container Escape |
A process was executed within the container that attempted to break out of the container's isolation, potentially giving the attacker access to the host system. If a container escape attempt is detected, it might indicate that an attacker is exploiting vulnerabilities to break out of the container. As a result, the attacker might gain unauthorized access to the host system or broader infrastructure, compromising the entire environment. |
The detector monitors for processes attempting to exploit container boundaries that use known escape techniques or binaries. These processes are flagged by threat intelligence as potential attacks that target the underlying host system. |
| Execution: Kubernetes Attack Tool Execution |
A Kubernetes-specific attack tool was executed within the environment, which could indicate that an attacker is targeting Kubernetes cluster components. If an attack tool is executed within the Kubernetes environment, it could suggest that an attacker has gained access to the cluster and is using the tool to exploit Kubernetes-specific vulnerabilities or configurations. |
The detector looks for Kubernetes attack tools that are being executed and are identified as potential threats based on intelligence data. The detector triggers alerts to mitigate potential compromises in the cluster. |
| Execution: Local Reconnaissance Tool Execution |
A local reconnaissance tool not typically associated with the container or environment was executed, suggesting an attempt to gather internal system information. If a reconnaissance tool is executed, it suggests that the attacker may be trying to map out the infrastructure, identify vulnerabilities, or collect data on system configurations to plan their next steps. |
The detector monitors for known reconnaissance tools being executed within the environment, identified through threat intelligence, which could indicate preparation for more malicious activities. |
| Execution: Malicious Python executed |
A machine learning model identified the specified Python code as malicious. Attackers can use Python to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. |
The detector uses NLP techniques to evaluate the content of executed Python code. Because this approach is not based on signatures, detectors can identify known and novel Python. |
| Execution: Modified Malicious Binary Executed |
A binary that meets the following conditions was executed:
If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
The detector looks for a binary being executed that was originally included in the container image but modified during runtime, and was identified as malicious based on threat intelligence. |
| Execution: Modified Malicious Library Loaded |
A library that meets the following conditions was loaded:
If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software. |
The detector looks for a library being loaded that was originally included in the container image but modified during runtime, and was identified as malicious based on threat intelligence. |
| Execution: Netcat Remote Code Execution in Container |
Netcat, a versatile networking utility, was executed within the container environment, potentially indicating an attempt to establish unauthorized remote access or exfiltrate data. The use of Netcat in a containerized environment may signal an attacker's effort to create a reverse shell, enable lateral movement, or execute arbitrary commands, which could compromise system integrity. |
The detector monitors for Netcat execution within the container, because its use in production environments is uncommon and may signal an attempt to bypass security controls or execute remote commands. |
| Execution: Program Run with Disallowed HTTP Proxy Env |
A program was executed with an HTTP proxy environment variable that is disallowed. This can indicate an attempt to bypass security controls, redirect traffic for malicious purposes, or exfiltrate data through unauthorized channels. Attackers may configure disallowed HTTP proxies to intercept sensitive information, route traffic through malicious servers, or establish covert communication channels. Detecting the execution of programs with these environment variables is crucial for maintaining network security and preventing data breaches. |
This detector monitors for the execution of programs with HTTP proxy environment variables that are specifically disallowed. The use of these proxies, particularly when unexpected, can signify malicious activity and warrants immediate investigation. |
| Exfiltration: Launch Remote File Copy Tools in Container |
A remote file copy tool execution was detected within the container, indicating potential data exfiltration, lateral movement, or the deployment of malicious payloads. Attackers often use these tools to transfer sensitive data outside of the container, move laterally within the network to compromise other systems, or introduce malware for further malicious activities. Detecting the use of remote file copy tools is crucial for preventing data breaches, unauthorized access, and further compromise of the container and potentially the host system. |
This detector monitors for the execution of known remote file copy tools within the container environment. Their presence, especially when unexpected, may indicate malicious activity. |
| Impact: Remove Bulk Data From Disk |
A process was detected performing bulk data deletion operations, which may indicate an attempt to erase evidence, disrupt services, or execute a data-wiping attack within the container environment. Attackers may remove large volumes of data to cover their tracks, sabotage operations, or prepare for ransomware deployment. Detecting such activity helps in identifying potential threats before critical data loss occurs. |
The detector monitors for commands and processes associated with bulk data deletion, or other data-wiping tools, to identify suspicious activity that could compromise system integrity. |
| Impact: Suspicious crypto mining activity using the Stratum Protocol |
A process was detected communicating over the Stratum protocol, which is commonly used by cryptocurrency mining software. This activity suggests potential unauthorized mining operations within the container environment. Attackers often deploy crypto miners to exploit system resources for financial gain, leading to degraded performance, increased operational costs, and potential security risks. Detecting such activity helps mitigate resource abuse and unauthorized access. |
This detector monitors for known Stratum protocol usage within the environment. Because legitimate container workloads typically don't use Stratum, its presence may indicate unauthorized mining operations or a compromised container. |
| Malicious Script Executed |
A machine learning model identified the specified Bash code as malicious. Attackers can use Bash to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. |
The detector uses NLP techniques to evaluate the content of executed Bash code. Because this approach is not based on signatures, detectors can identify known and novel malicious bash. |
| Malicious URL Observed | Container Threat Detection observed a malicious URL in the argument list of a running process. | The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as phishing or malware, report it at Reporting Incorrect Data. |
| Reverse Shell |
A process started with stream redirection to a remote connected socket. With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload—for example, as part of a botnet. |
The detector looks for stdin bound to a remote socket.
|
| Unexpected Child Shell | A process that does not normally invoke shells spawned a shell process. | The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells. |
What's next
- Learn about using Container Threat Detection.
- Learn about testing Container Threat Detection.
- Learn how to investigate and develop response plans for threats.
- Learn about Artifact Analysis and vulnerability scanning.