The challenge
Detecting attacks in cloud environments is challenging. Organizations run different workloads, deployed in different ways, over multiple compute services and cloud providers. Workloads are dynamic, new technologies are constantly adopted, and changes are made by individuals and automated systems. The attack surface increases and keeps changing, making it impossible to monitor each and every attack vector.
Threat detection strategy
Intezer Protect's detection strategy is unique and designed to tackle the security challenges of dynamic cloud environments. Intezer doesn't look for anomalies in behavior telemetry or requires configuring and maintaining countless policies. Instead, it looks at what actually gets executed in runtime, verifies that you're running 100% trusted code at all times.
Inspecting running code is an efficient strategy; regardless of the attack vector, all attacks require running malicious code or commands somewhere in the environment. It's also generic and works for all types of workloads and compute resources. When a new code is introduced to the environment, Intezer "genetically" classifies the software.
Intezer looks at the running code from two different angles, the threats angle and the trusted angle. A new code introduced to the environment is genetically compared to the threat database to detect malicious code and new variants. Genetic analysis of threats is very different from looking for signatures, file IoCs (e.g., file hash, path, ...), or network IoCs (e.g., bad IPs, URLs, or domain). It analyzes the code itself, and even small use of malicious code is detected. Unlike signatures and IoCs, the code itself isn't easily manipulated by an attacker. From the trusted angle, new code introduced to the environment is genetically compared against the organizational and globally trusted software databases, so only completely new software is flagged. Unlike the standard application-control (allow-listing) approach that flags any small change, with genetic analysis, approving new software is possible, enabling organizations to achieve the highest security level without the huge maintenance overhead.
Threat detection principles
The principles behind Intezer Protect's detection are:
- No required policies - When it comes to dynamic environments, detection policies tend to be over permissive or impossible to maintain. Intezer provides high-quality detection without requiring the user to configure policies.
- Holistic - Detection should fit with modern cloud environments' dynamic nature - workloads deployed in different ways over different types of compute services. It should not be limited to a specific compute type (e.g., VMs, containers, or Kubernetes), or rely on a specific deployment type (e.g., secure only workloads deployed automatically with a CI/CD pipeline).
- Precise - Alerts should be clear and indicate real attacks. Vague alerts, or a high volume of alerts, aren't actionable and end up being avoided.
- Resilient - Detection should be robust and tolerant to changes attackers can make in their tools, techniques, or infrastructure, including changing the attack vector. Fragile detection (e.g., file hashes, bad IPs, etc.) can be easily bypassed by an attacker and is less effective.
- Threat context - Different attacks present different risks and require different responses. Classifying attacks to threat actors and families and understanding the potential impact provide the threat context that is required to respond to breaches.
With Intezer Protect, you can
- Detect malicious code or malware in runtime, including in-memory threats.
- Detect unrecognized or unauthorized code.
- Detect exploitation of known and unknown vulnerabilities.
- Detect suspicious shell commands and Living off the Land (LotL) attacks.
Notable discoveries
Over the last years, using this unique technology, Intezer detected multiple undetected attacks targeting cloud and Linux-based infrastructure, including:
- Doki Infecting Docker Servers in the Cloud
- Kaiji: New Chinese Linux malware turning to Golang
- Stantinko’s Proxy After Your Apache Server
- IPStorm Now Has Linux Malware
- Linux Rekoobe Operating with New, Undetected Malware Samples
- ChinaZ Updates Toolkit by Introducing New, Undetected Malware
- ACBackdoor: New Multiplatform Backdoor
- HiddenWasp: Linux Remote Control Trojan
Check out Intezer's blog for more and recent discoveries.