Let's review several technical concepts behind Aqua's Dynamic Threat Analysis (DTA)
TABLE OF CONTENTS
DTA Scanning Results
The following terms are key in understanding the scan results:
Behaviors and Findings: Aqua DTA runs and monitors container image behaviors by running the container in an isolated sandbox environment. The behaviors are classified by category and risk severity, so you can understand their context.
In addition, DTA provides evidence to substantiate each behavior. For example, a possible behavior might be “Detection of network activity without performing DNS lookup”; the evidence for this behavior could include the ID of the process that initiated the network activity, as well as the destination IP address.
Each behavior is classified by one of 5 categories. To align with the MITRE attack framework, each category is mapped to one or more MITRE categories.
MITRE category mapping
Consists of techniques that use various entry vectors to gain their initial foothold
Example: Crypto Mining binaries found in the image
Initial access, Execution
Includes unusual techniques to gain more control
Example: Privilege escalation and credential access
Persistence, Privilege escalation, Defense evasion, Credential access
Discovering local or remote resources to exploit them or perform lateral movement
Example: Executing "Shodan search" on internet-connected devices in runtime
Discovery, lateral movement
Suspicious network activity
Example: Accessing an unreachable IP address might indicate communication with a C&C
Command and control
Collection & Exfiltration
Collecting resources and reaching an end-game objective
Example: Resource hijacking to validate transactions of cryptocurrency networks and earn virtual currency
Collection, Exfiltration, Impact
The following is a conceptual description of the DTA scanning flow:
- New images are periodically discovered and pulled into the Aqua service
- The service spins up a new Virtual Machine (VM) instance dedicated for each image scan
- The service runs the image as a container on the VM for several minutes
- The service records and monitors all aspect of the run time such as network, disk activity, memory utilization, and system calls
- The service classifies these activities in the form of behaviors and saves the scan result
- The VM is tear down and the image is deleted from Aqua servers
Supported Types of Images
DTA supports Linux-based container images created according to the docker format.