Container Threat Detection conceptual overview

This page provides a high-level overview of Container Threat Detection concepts and features.

What is Container Threat Detection?

Container Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors the state of Container-Optimized OS node images. The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time.

Container Threat Detection detects the most common container runtime attacks and alerts you in Security Command Center and, optionally, in Cloud Logging. Container Threat Detection includes several detection capabilities, including suspicious binaries and libraries, and uses natural language processing (NLP) to detect malicious bash scripts.

How Container Threat Detection works

Container Threat Detection detection instrumentation collects low-level behavior in the guest kernel and executed bash scripts. The following is the execution path when events are detected:

  1. Container Threat Detection passes event information and information that identifies the container through a user mode DaemonSet to a detector service for analysis. Event collection is configured automatically when Container Threat Detection is enabled.

    The watcher DaemonSet passes container information in a best effort manner. Container information can be dropped from the reported finding if the Kubernetes and the container runtime fail to deliver the corresponding container information in time.

  2. The detector service analyzes events to determine whether an event is indicative of an incident. The content of bash scripts is analyzed with NLP to determine if executed scripts are malicious.

  3. If the detector service identifies an incident, the incident is written as a finding in Security Command Center and, optionally, to Cloud Logging.

    • If the detector service doesn't identify an incident, then finding information isn't stored.
    • All data in the kernel and detector service is ephemeral and isn't persistently stored.

You can view finding details in the Security Command Center dashboard and investigate finding information. Your ability to view and edit findings is determined by the roles you are granted. For more information on Security Command Center roles, see Access control.

Container Threat Detection detectors

Container Threat Detection includes the following detectors:

Detector Description Inputs to detection
Added Binary Executed

A binary that was not part of the original container image was executed.

If an added binary is executed by an attacker, it's a possible sign that an attacker has control of the workload and they are executing arbitrary commands.

The detector looks for a binary being executed that was not part of the original container image, or was modified from the original container image.
Added Library Loaded

A library that was not part of the original container image was loaded.

If an added library is loaded, it's a possible sign that an attacker has control of the workload and they are executing arbitrary code.

The detector looks for a library being loaded that was not part of the original container image, or was modified from the original container image.
Execution: Added Malicious Binary Executed

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Not part of the original container image

If an added malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

The detector looks for a binary being executed that was not part of the original container image, and was identified as malicious based on threat intelligence.
Execution: Added Malicious Library Loaded

A library that meets the following conditions was loaded:

  • Identified as malicious based on threat intelligence
  • Not part of the original container image

If an added malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

The detector looks for a library being loaded that was not part of the original container image, and was identified as malicious based on threat intelligence.
Execution: Built in Malicious Binary Executed

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Included in the original container image

If a built in malicious binary is executed, it's a sign that the attacker is deploying malicious containers. They may have gained control of a legitimate image repository or container build pipeline and injected a malicious binary into the container image.

The detector looks for a binary being executed that was included in the original container image, and was identified as malicious based on threat intelligence.
Execution: Modified Malicious Binary Executed

A binary that meets the following conditions was executed:

  • Identified as malicious based on threat intelligence
  • Included in the original container image
  • Modified from the original container image during the runtime
  • If a modified malicious binary is executed, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

    The detector looks for a binary being executed that was originally included in the container image but modified during runtime, and was identified as malicious based on threat intelligence.
    Execution: Modified Malicious Library Loaded

    A library that meets the following conditions was loaded:

  • Identified as malicious based on threat intelligence
  • Included in the original container image
  • Modified from the original container image during the runtime
  • If a modified malicious library is loaded, it's a strong sign that an attacker has control of the workload and they are executing malicious software.

    The detector looks for a library being loaded that was originally included in the container image but modified during runtime, and was identified as malicious based on threat intelligence.
    Malicious Script Executed A machine learning model identified an executed bash script as malicious. Attackers can use bash scripts to transfer tools or other files from an external system into a compromised environment and execute commands without binaries. The detector uses NLP techniques to evaluate the content of an executed bash script. Since this approach is not based on signatures, detectors can identify known and unknown malicious scripts.
    Malicious URL Observed Container Threat Detection observed a malicious URL in the argument list of a running process. The detector checks URLs that are observed in the argument list of running processes against the lists of unsafe web resources that are maintained by the Google Safe Browsing service. If a URL is incorrectly classified as phishing or malware, report it to Safebrowsing at Reporting Incorrect Data.
    Reverse Shell

    A process started with stream redirection to a remote connected socket.

    With a reverse shell, an attacker can communicate from a compromised workload to an attacker-controlled machine. The attacker can then command and control the workload to perform desired actions, for example, as part of a botnet.

    The detector looks for stdin bound to a remote socket.
    Unexpected Child Shell

    A process that does not normally invoke shells spawned a shell process.

    The detector monitors all process executions. When a shell is invoked, the detector generates a finding if the parent process is known to not typically invoke shells.

    What's next