Aqua Security, a renowned platform provider for securing cloud native applications and infrastructure, announced Aqua Dynamic Threat Analysis (DTA), a new product offering that protects container-based environments against sophisticated malware that can only be detected using dynamic analysis of a running container, and available as an option within Aqua’s Cloud Native Security Platform (CSP).
The company also announced enhancements to its CSPM SaaS platform (based on its acquisition of CloudSploit in 2019), which now includes Aqua DTA, image vulnerability scanning, and expanded support for cloud environments. Aqua DTA is currently available in preview, with general availability expected later.
Rising Threat of Image-Based Malware
Recently, the Aqua Security cyber research team has uncovered increasingly sophisticated attacks on containers that use obfuscation and evasion techniques to avoid detection by static scanners. Such attacks utilise novel, innocuous-looking images to embed their own code, which is often encrypted or deployed as polymorphic malware to avoid detection. The malicious behaviour of the image can only be observed when it runs as a container.
“We’ve been seeing organised attacks that aim for cryptocurrency mining, credential theft, data exfiltration, or using containers for DDoS attacks.” says Amir Jerbi, CTO and Co-Founder of Aqua.
Software supply chain
By identifying these behaviours before deploying images, Aqua DTA shifts left"
"To achieve these objectives, the container will exhibit a variety of suspicious behaviours, such as unpacking malicious payloads during runtime, opening reverse shell, executing malware from memory to avoid detection, connecting to known command and control servers, and more. By identifying these behaviours before deploying images, Aqua DTA ‘shifts left’ what used to be done only as a late response to incidents during runtime,” he added.
Aqua DTA addresses these risks by automatically running images in a secure sandboxed environment, then analysing, tracing, and classifying the detected behaviours. The sandbox prevents the malware from doing any harm to other workloads and resources on the host or network. Using Aqua DTA allows security and DevOps teams to improve the security of their software supply chain and reduce risk to runtime environments.
Software development life cycle
Aqua DTA is recommended to address the following needs:
- Approving public images and their open source packages – as part of the security policies of the user's software development life cycle (SDLC).
- Approving ISV’s third-party Images – scanning third-party images from independent software vendors before introducing them into the organisation.
- Pre-production security gate – scanning release candidate images before they are promoted to production from CI/CD pipelines or registries, as an added layer of protection.
- Analysis and forensics – quickly analysing image runtime behavior to understand anomalies or perform forensics after a suspected incident.
Within Aqua’s Cloud Native Security Platform, DTA can be configured to automatically scan only images within a specific scope, for example according to a label or within a named registry.
Seamless Cloud-Native Security
The vulnerability scanner included in the preview currently supports AWS environments
Aqua has also revamped its cloud security posture management (CSPM) solution, following its acquisition of CloudSploit in 2019. The new solution is now called Aqua CSPM, and includes Preview versions of both Aqua DTA, as well as integrated container image vulnerability scanning based on Aqua’s Trivy open source scanner. The vulnerability scanner included in the preview currently supports AWS environments, with additional registry support planned throughout the year.
Aqua is the first and only solution that extends CSPM into cloud native security with an integrated offering that discovers container image registries, scans images for vulnerabilities, and detect hidden malware threats in a single, seamless workflow. These capabilities go beyond securing the cloud infrastructure to secure the applications running on it, typically the function of Cloud Workload Protection Platforms (CWPP).
Enhancing security control
In a recent report, Gartner recommends that organisations “consider a comprehensive cloud-native application protection platform that combines the needs mentioned above, container scanning, serverless scanning, CWPP and CSPM, in a single platform.” The report names Aqua Security as one of three vendors that converge CWPP and CSPM.
Additional recent enhancements to Aqua CSPM include:
- General Availability of its support for Google Cloud and Oracle Cloud environments
- Scanning of Terraform templates in addition to the previously available AWS CloudFormation templates, enhancing security control over Infrastructure-as-Code (IaC) tooling
- Automated GDPR compliance reports, facilitating compliance with the European privacy requirements