sysdig.com
Open in
urlscan Pro
141.193.213.21
Public Scan
Submitted URL: https://email.btobinsights.com/c/1lttAPuEQqIYdWVlysLd5iSuTeH9
Effective URL: https://sysdig.com/blog/cloud-defense-in-depth/?utm_source=ant&utm_medium=email&utm_campaign=cloud-defense-in-depth...
Submission: On July 20 via api from US — Scanned from DE
Effective URL: https://sysdig.com/blog/cloud-defense-in-depth/?utm_source=ant&utm_medium=email&utm_campaign=cloud-defense-in-depth...
Submission: On July 20 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://sysdig.com/
<form role="search" method="get" class="c-search-form" action="https://sysdig.com/">
<label class="c-search-form__label ">
<span class="before"></span>
<span class="screen-reader-text">Search for:</span>
<input type="text" class="c-search-form__field" placeholder="Search" value="" name="s">
<span class="after"></span>
</label>
<button type="submit" class="c-search-form__button button bg-yellow"><span>Search</span></button>
</form><form data-submit-button="Submit" data-formid="3811" data-forminstance="one" data-formtemplate="newsletter" class="sysdig-form columns-single mktoForm mktoHasWidth mktoLayoutLeft" data-successtype="success-message" data-recaptcha="false" id=""
novalidate="novalidate" data-styles-ready="true">
<style type="text/css"></style>
<div class="mktoFormRow UTM_Campaign__c hidden-row"><input type="hidden" name="UTM_Campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow UTM_Content__c hidden-row"><input type="hidden" name="UTM_Content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow UTM_Medium__c hidden-row"><input type="hidden" name="UTM_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow UTM_Offer__c hidden-row"><input type="hidden" name="UTM_Offer__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow UTM_Source__c hidden-row"><input type="hidden" name="UTM_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow UTM_Term__c hidden-row"><input type="hidden" name="UTM_Term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow Email">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap c-form-newsletter__box"><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth" placeholder=""><span id="InstructEmail"
tabindex="-1" class="mktoInstruction"></span><button class="c-search-form__button" type="submit"><span>Submit</span></button></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow subscriptionContainerNewsletter hidden-row"><input type="hidden" name="subscriptionContainerNewsletter" class="mktoField mktoFieldDescriptor mktoFormCol" value="True">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow subscriptionGeneralMarketing">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap"><label for="subscriptionGeneralMarketing" id="LblsubscriptionGeneralMarketing" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth c-form-checkbox"><input name="subscriptionGeneralMarketing" id="mktoCheckbox_109494_0_16898731083780.7773603144812093" type="checkbox" value="yes"
aria-labelledby="LblsubscriptionGeneralMarketing LblmktoCheckbox_109494_0 InstructsubscriptionGeneralMarketing" class="mktoField" placeholder="Also keep me informed of Sysdig news + updates"><label
for="mktoCheckbox_109494_0_16898731083780.7773603144812093" id="LblmktoCheckbox_109494_0">Also keep me informed of Sysdig news + updates</label></div><span id="InstructsubscriptionGeneralMarketing" tabindex="-1"
class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="3811"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="067-QZT-881">
</form><form data-submit-button="Submit" data-formid="3811" data-forminstance="one" data-formtemplate="newsletter"
style="display: none; font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" class="sysdig-form columns-single mktoForm mktoHasWidth mktoLayoutLeft"
data-successtype="success-message" data-recaptcha="false" novalidate="novalidate"></form>Text Content
THIS WEBSITE USES COOKIES
Sysdig uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners. You can at
any time change or withdraw your consent from the Cookie Declaration on our
website.
Do not sell or share my personal information
Use necessary cookies only Accept Show details
OK
Use necessary cookies only Allow selection Allow all cookies
Necessary
Preferences
Statistics
Marketing
Show details
Cookie declaration [#IABV2SETTINGS#] About
Necessary (45) Preferences (4) Statistics (45) Marketing (88) Unclassified
(0)
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
NameProviderPurposeExpiryTypeeidapp.storylane.ioUsed by Storylane animation
toolPersistentHTMLfp_idapp.storylane.ioUsed by Storylane animation
toolPersistentHTMLsid_50zbsmimy6oaapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_c8fhqiiju69lapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_do0o8plgnf7oapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_ldkrh27xh8rkapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_nrc5qoley3ilapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_okxrvkw6tbllapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_rsh8n0a5kxljapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_smr3utsznpl1app.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_sr3j1kncx3rgapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_tzwdyavbyiceapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_vmr8risa8h4bapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_yhxw8gby5hoyapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_ypxokaaa7kknapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_ysepdzaddvcbapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_ziml7xbgickuapp.storylane.ioUsed by Storylane animation
toolSessionHTMLsid_znzwulvcwo0uapp.storylane.ioUsed by Storylane animation
toolSessionHTMLCookieConsent [x3]CookiebotStores the user's cookie consent state
for the current domain1 yearHTTPOptanonConsentGartnerDetermines whether the
visitor has accepted the cookie consent box. This ensures that the cookie
consent box will not be presented again upon re-entry. 1
yearHTTP_gh_sessGithubPreserves users states across page
requests.SessionHTTPlogged_inGithubRegisters whether the user is logged in. This
allows the website owner to make parts of the website inaccessible, based on the
user's log-in status. 1 yearHTTP__cf_bm [x2]go.sysdig.com
TechTargetThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of their
website.1 dayHTTPBIGipServer#go.sysdig.comUsed to distribute traffic to the
website on several servers in order to optimise response
times.SessionHTTPCONSENT [x2]Google
YouTubeUsed to detect if the visitor has accepted the marketing category in the
cookie banner. This cookie is necessary for GDPR-compliance of the website. 2
yearsHTTPrc::a [x2]GoogleThis cookie is used to distinguish between humans and
bots. This is beneficial for the website, in order to make valid reports on the
use of their website.PersistentHTMLrc::c [x2]GoogleThis cookie is used to
distinguish between humans and bots. SessionHTMLli_gcLinkedInStores the user's
cookie consent state for the current domain180
daysHTTPce_successful_csp_checkCrazyeggDetects whether user behaviour tracking
should be active on the website. PersistentHTML_ce.cchCrazyeggStores the user's
cookie consent state for the current
domainSessionHTTP_pf_consentcdn-app.pathfactory.comPathFactory: tracks whether
or not the visitor is consented to PathFactory tracking2
yearsHTTP_pf_id.c79ecdn-app.pathfactory.comPathFactory: Stores user information
that is created when a user first visits a site and updated on subsequent
visits. It is used to identify a user and track the user’s activity. This cookie
stores a unique identifier for each user, a unique identifier for the user’s
current session, the number of visits a user has made to the site, the timestamp
of the user’s first visit, the timestamp of their previous visit, and the
timestamp of their current visit.2
yearsHTTP_pf_ses.c79ecdn-app.pathfactory.comPathFactory: Used to identify if the
user is in an active session on a site or if this is a new session for a user
(i.e. cookie doesn’t exist or has expired).1 dayHTTPoribi_cookie_testOribiThis
cookie determines whether the browser accepts
cookies.SessionHTTPuserIdtracking.intentsify.ioPreserves users states across
page requests.10 yearsHTTPAWSALBwww.codecentric.deRegisters which server-cluster
is serving the visitor. This is used in context with load balancing, in order to
optimize user experience. 7 daysHTTPAWSALBCORSwww.codecentric.deRegisters which
server-cluster is serving the visitor. This is used in context with load
balancing, in order to optimize user experience. 7 daysHTTPbscookieLinkedInThis
cookie is used to identify the visitor through an application. This allows the
visitor to login to a website through their LinkedIn application for example.1
yearHTTPJSESSIONIDLinkedInPreserves users states across page
requests.SessionHTTP
Preference cookies enable a website to remember information that changes the way
the website behaves or looks, like your preferred language or the region that
you are in.
NameProviderPurposeExpiryTypeCookieConsentBulkSetting-#CookiebotEnables cookie
consent across multiple websitesPersistentHTMLGyazo_cfwokersysdig.comEnables the
visitor to share content from the website onto social media platforms or
websites. 2360 daysHTTPvidcdn-app.pathfactory.comCollects data on visitor
interaction with the website's video-content - This data is used to make the
website's video-content more relevant towards the visitor. 2
yearsHTTPli_alertsLinkedInUsed to determine when and where certain pop-ups on
the website should be presented for the user and remember whether the user has
closed these, to keep them from showing multiple times.1 yearHTTP
Statistic cookies help website owners to understand how visitors interact with
websites by collecting and reporting information anonymously.
NameProviderPurposeExpiryTypeutm_contentsysdig.comThis cookie is used by the
website’s operator in context with multi-variate testing. This is a tool used to
combine or change content on the website. This allows the website to find the
best variation/edition of the site. SessionHTMLc.gifMicrosoftCollects data on
the user’s navigation and behavior on the website. This is used to compile
statistical reports and heatmaps for the website
owner.SessionPixelsnowplowOutQueue_#_post2cdn-app.pathfactory.comRegisters
statistical data on users' behaviour on the website. Used for internal analytics
by the website operator.
PersistentHTMLsnowplowOutQueue_#_post2.expirescdn-app.pathfactory.comRegisters
statistical data on users' behaviour on the website. Used for internal analytics
by the website operator. PersistentHTML_ga [x3]GoogleRegisters a unique ID that
is used to generate statistical data on how the visitor uses the website.2
yearsHTTP_gid [x3]GoogleRegisters a unique ID that is used to generate
statistical data on how the visitor uses the website.1
dayHTTPdtCookieGartnerPendingSessionHTTP_octoGithubPending1
yearHTTPcollectGoogleUsed to send data to Google Analytics about the visitor's
device and behavior. Tracks the visitor across devices and marketing
channels.SessionPixel_hjRecordingEnabledHotjarCollects data on the user’s
navigation and behavior on the website. This is used to compile statistical
reports and heatmaps for the website
owner.SessionHTML_hjRecordingLastActivityHotjarSets a unique ID for the session.
This allows the website to obtain data on visitor behaviour for statistical
purposes.SessionHTMLhjActiveViewportIdsHotjarThis cookie contains an ID string
on the current session. This contains non-personal information on what subpages
the visitor enters – this information is used to optimize the visitor's
experience.PersistentHTMLhjViewportIdHotjarSaves the user's screen size in order
to adjust the size of images on the
website.SessionHTMLAnalyticsSyncHistoryLinkedInUsed in connection with
data-synchronization with third-party analysis service. 30
daysHTTPcetabidCrazyeggSets a unique ID for the session. This allows the website
to obtain data on visitor behaviour for statistical
purposes.SessionHTMLbrowser_idLinkedinUsed to recognise the visitor's browser
upon reentry on the website.5 yearsHTTPspsnowplow.comRegisters statistical data
on users' behaviour on the website. Used for internal analytics by the website
operator. 1 yearHTTP_ce.clock_dataCrazyeggCollects data on the user’s navigation
and behavior on the website. This is used to compile statistical reports and
heatmaps for the website owner.1 dayHTTP_ce.clock_eventCrazyeggCollects data on
the user’s navigation and behavior on the website. This is used to compile
statistical reports and heatmaps for the website owner.1
dayHTTP_ce.gtldCrazyeggHolds which URL should be presented to the visitor when
visiting the site. SessionHTTP_ce.sCrazyeggCollects data on the user’s
navigation and behavior on the website. This is used to compile statistical
reports and heatmaps for the website owner.1 yearHTTP_CEFTCrazyeggThis cookie is
used by the website’s operator in context with multi-variate testing. This is a
tool used to combine or change content on the website. This allows the website
to find the best variation/edition of the site.1 yearHTTP_clckMicrosoftCollects
data on the user’s navigation and behavior on the website. This is used to
compile statistical reports and heatmaps for the website owner.1
yearHTTP_clskMicrosoftRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator. 1
dayHTTP_ga_#GoogleUsed by Google Analytics to collect data on the number of
times a user has visited the website as well as dates for the first and most
recent visit. 2 yearsHTTP_gatGoogleUsed by Google Analytics to throttle request
rate1 dayHTTP_hjAbsoluteSessionInProgressHotjarHotjar: This cookie is used to
count how many times a website has been visited by different visitors - this is
done by assigning the visitor an ID, so the visitor does not get registered
twice.1 dayHTTP_hjFirstSeenHotjarHotjar: This cookie is used to determine if the
visitor has visited the website before, or if it is a new visitor on the
website.1 dayHTTP_hjIncludedInSessionSample_#HotjarHotjar: Collects statistics
on the visitor's visits to the website, such as the number of visits, average
time spent on the website and what pages have been read.1
dayHTTP_hjSession_#HotjarHotjar: Collects statistics on the visitor's visits to
the website, such as the number of visits, average time spent on the website and
what pages have been read.1 dayHTTP_hjSessionUser_#HotjarHotjar: Collects
statistics on the visitor's visits to the website, such as the number of visits,
average time spent on the website and what pages have been read.1
yearHTTPcebsCrazyeggTracks the individual sessions on the website, allowing the
website to compile statistical data from multiple visits. This data can also be
used to create leads for marketing purposes.SessionHTTPcebsp_CrazyeggCollects
data on the user’s navigation and behavior on the website. This is used to
compile statistical reports and heatmaps for the website
owner.SessionHTTPln_orLinkedInRegisters statistical data on users' behaviour on
the website. Used for internal analytics by the website operator. 1
dayHTTPoribili_user_guidOribiRegisters statistical data on users' behaviour on
the website. Used for internal analytics by the website operator. 1
yearHTTPpdfjs.historysysdig.comRemembers which and how many PDF-documents have
been downloaded or read by the user. This is used for internal statistics.
PersistentHTML_cltkMicrosoftRegisters statistical data on users' behaviour on
the website. Used for internal analytics by the website operator.
SessionHTMLCLIDMicrosoftCollects data on the user’s navigation and behavior on
the website. This is used to compile statistical reports and heatmaps for the
website owner.1 yearHTTProuteGartnerRegisters statistical data on users'
behaviour on the website. Used for internal analytics by the website operator.
SessionHTTPtdGoogleRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator.
SessionPixelyt-player-headers-readableYouTubeUsed to determine the optimal video
quality based on the visitor's device and network settings. PersistentHTML
Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
NameProviderPurposeExpiryTypeutm_campaignsysdig.comCollects information on user
preferences and/or interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.SessionHTMLutm_datesysdig.comUsed to track specific Sysdig campaign
date.SessionHTMLutm_mediumsysdig.comDetects how the user reached the website by
registering their last URL-address.SessionHTMLutm_offersysdig.comUsed to track
specific Sysdig campaign offer.SessionHTMLutm_sourcesysdig.comDetermines how the
user accessed the website. This information is used by the website operator in
order to measure the efficiency of their marketing.
SessionHTMLutm_termsysdig.comDetermines how the user accessed the website. This
information is used by the website operator in order to measure the efficiency
of their marketing. SessionHTMLanjAppnexusRegisters a unique ID that identifies
a returning user's device. The ID is used for targeted ads.3
monthsHTTPuuid2AppnexusRegisters a unique ID that identifies a returning user's
device. The ID is used for targeted ads.3 monthsHTTProute-gdocumentGartnerUsed
by Gartner to track traffic to their documentSessionHTTProute-gfollowGartnerUsed
by Gartner to track traffic to their documentSessionHTTPbitoBeeswaxSets a unique
ID for the visitor, that allows third party advertisers to target the visitor
with relevant advertisement. This pairing service is provided by third party
advertisement hubs, which facilitates real-time bidding for advertisers.13
monthsHTTPbitoIsSecureBeeswaxPresents the user with relevant content and
advertisement. The service is provided by third-party advertisement hubs, which
facilitate real-time bidding for advertisers.13
monthsHTTPcheckForPermissionBeeswaxDetermines whether the visitor has accepted
the cookie consent box. 1 dayHTTP_uetsidMicrosoftUsed to track visitors on
multiple websites, in order to present relevant advertisement based on the
visitor's preferences. PersistentHTML_uetsid_expMicrosoftContains the
expiry-date for the cookie with corresponding name.
PersistentHTML_uetvidMicrosoftUsed to track visitors on multiple websites, in
order to present relevant advertisement based on the visitor's preferences.
PersistentHTML_uetvid_expMicrosoftContains the expiry-date for the cookie with
corresponding name. PersistentHTMLMR [x2]MicrosoftUsed to track visitors on
multiple websites, in order to present relevant advertisement based on the
visitor's preferences. 7 daysHTTPMUID [x2]MicrosoftUsed widely by Microsoft as a
unique user ID. The cookie enables user tracking by synchronising the ID across
many Microsoft domains.1 yearHTTPSRM_BMicrosoftTracks the user’s interaction
with the website’s search-bar-function. This data can be used to present the
user with relevant products or services. 1 yearHTTPANONCHKMicrosoftRegisters
data on visitors from multiple visits and on multiple websites. This information
is used to measure the efficiency of advertisement on websites. 1
dayHTTPSMMicrosoftRegisters a unique ID that identifies the user's device during
return visits across websites that use the same ad network. The ID is used to
allow targeted ads.SessionHTTPCMIDCasale MediaCollects visitor data related to
the user's visits to the website, such as the number of visits, average time
spent on the website and what pages have been loaded, with the purpose of
displaying targeted ads.1 yearHTTPCMPROCasale MediaCollects data on visitor
behaviour from multiple websites, in order to present more relevant
advertisement - This also allows the website to limit the number of times that
they are shown the same advertisement. 3 monthsHTTPCMPSCasale MediaCollects
visitor data related to the user's visits to the website, such as the number of
visits, average time spent on the website and what pages have been loaded, with
the purpose of displaying targeted ads.3
monthsHTTP_lbhq_eventscdn-app.pathfactory.comUsed by PathFactory Digital Asset
Management toolPersistentHTML_lbvisitedcdn-app.pathfactory.comUsed by
PathFactory Digital Asset Management
toolPersistentHTML_lbvisitedcountcdn-app.pathfactory.comUsed by PathFactory
Digital Asset Management
toolPersistentHTMLlb_registered_sessionscdn-app.pathfactory.comUsed by
PathFactory Digital Asset Management
toolPersistentHTMLspBeaconPreflight_jukeboxTracker_jukeboxTrackercdn-app.pathfactory.comUsed
by PathFactory Digital Asset Management
toolSessionHTMLspBeaconPreflight_jukeboxTracker_railsTrackercdn-app.pathfactory.comUsed
by PathFactory Digital Asset Management toolSessionHTMLtuuidDemandBaseCollects
visitor data related to the user's visits to the website, such as the number of
visits, average time spent on the website and what pages have been loaded, with
the purpose of displaying targeted ads.SessionHTTPtuuid_luDemandBaseContains a
unique visitor ID, which allows Bidswitch.com to track the visitor across
multiple websites. This allows Bidswitch to optimize advertisement relevance and
ensure that the visitor does not see the same ads multiple times.
SessionHTTPIDEGoogleUsed by Google DoubleClick to register and report the
website user's actions after viewing or clicking one of the advertiser's ads
with the purpose of measuring the efficacy of an ad and to present targeted ads
to the user.1 yearHTTPpagead/landingGoogleCollects data on visitor behaviour
from multiple websites, in order to present more relevant advertisement - This
also allows the website to limit the number of times that they are shown the
same advertisement. SessionPixeltest_cookieGoogleUsed to check if the user's
browser supports cookies.1 dayHTTPELOQUAGartnerRegisters a unique ID that
identifies the user's device upon return visits. Used for auto-populating forms
and to validate if a certain contact is registered to an email group.13
monthsHTTPGPRODSESSIONIDGartnerUsed by Gartner to track traffic to their
documentSessionHTTPGPRODUCT_LAST_ACCESSGartnerUsed by Gartner to track traffic
to their documentSessionHTTPads/ga-audiencesGoogleUsed by Google AdWords to
re-engage visitors that are likely to convert to customers based on the
visitor's online behaviour across websites.SessionPixelNIDGoogleRegisters a
unique ID that identifies a returning user's device. The ID is used for targeted
ads.6
monthsHTTPpagead/1p-user-list/963686163/GooglePendingSessionPixelcsGumgumCollects
data on the user across websites - This data is used to make advertisement more
relevant.1 yearHTTPa/gif.gifTechTargetUsed by TechTarget to track traffic to a
specific pageSessionPixel_session_id [x4]PathFactory
jukebox.pathfactory.com
sysdig.comStores visitors' navigation by registering landing pages - This allows
the website to present relevant products and/or measure their advertisement
efficiency on other websites. SessionHTTPbcookieLinkedInUsed by the social
networking service, LinkedIn, for tracking the use of embedded services.1
yearHTTPlangLinkedInSet by LinkedIn when a web page contains an embedded "Follow
us" panel.SessionHTTPli_sugrLinkedInCollects data on user behaviour and
interaction in order to optimize the website and make advertisement on the
website more relevant. 3 monthsHTTPlidcLinkedInUsed by the social networking
service, LinkedIn, for tracking the use of embedded services.1
dayHTTPUserMatchHistoryLinkedInUsed to track visitors on multiple websites, in
order to present relevant advertisement based on the visitor's preferences. 30
daysHTTP_gcl_auGoogleUsed by Google AdSense for experimenting with advertisement
efficiency across websites using their services. 3
monthsHTTP_mkto_trkMarketoContains data on visitor behaviour and website
interaction. This is used in context with the email marketing service
Marketo.com, which allows the website to target visitors via email. 2
yearsHTTP_uetsidMicrosoftCollects data on visitor behaviour from multiple
websites, in order to present more relevant advertisement - This also allows the
website to limit the number of times that they are shown the same advertisement.
1 dayHTTP_uetvidMicrosoftUsed to track visitors on multiple websites, in order
to present relevant advertisement based on the visitor's preferences. 1
yearHTTPtv_UIDMTelariaPending2 yearsHTTPtvidTelariaPresents the user with
relevant content and advertisement. The service is provided by third-party
advertisement hubs, which facilitate real-time bidding for advertisers.1
yearHTTPr/beaconAmobeeUsed to track the visitor across multiple devices
including TV. This is done in order to re-target the visitor through multiple
channels. SessionPixeluidAmobeeCollects anonymous data related to the user's
visits to the website, such as the number of visits, average time spent on the
website and what pages have been loaded, with the purpose of displaying targeted
ads.180 daysHTTPi/jot/embedsTwitter Inc.Sets a unique ID for the visitor, that
allows third party advertisers to target the visitor with relevant
advertisement. This pairing service is provided by third party advertisement
hubs, which facilitates real-time bidding for
advertisers.SessionPixelRichHistoryTwitter Inc.Collects data on visitors'
preferences and behaviour on the website - This information is used make content
and advertisement more relevant to the specific visitor.
SessionHTMLroute-asrGartnerUsed by Gartner to track traffic to their
documentSessionHTTProute-gproductGartnerUsed by Gartner to track traffic to
their documentSessionHTTPLAST_RESULT_ENTRY_KEYYouTubeUsed to track user’s
interaction with embedded
content.SessionHTTPLogsDatabaseV2:V#||LogsRequestsStoreYouTubePendingPersistentIDBnextIdYouTubeUsed
to track user’s interaction with embedded
content.SessionHTTPnWC1Uzs7EIYouTubePendingSessionHTMLremote_sidYouTubeNecessary
for the implementation and functionality of YouTube video-content on the
website. SessionHTTPrequestsYouTubeUsed to track user’s interaction with
embedded
content.SessionHTTPServiceWorkerLogsDatabase#SWHealthLogYouTubeNecessary for the
implementation and functionality of YouTube video-content on the website.
PersistentIDBTESTCOOKIESENABLEDYouTubeUsed to track user’s interaction with
embedded content.1 dayHTTPVISITOR_INFO1_LIVEYouTubeTries to estimate the users'
bandwidth on pages with integrated YouTube videos.180
daysHTTPYSCYouTubeRegisters a unique ID to keep statistics of what videos from
YouTube the user has seen.SessionHTTPyt.innertube::nextIdYouTubeRegisters a
unique ID to keep statistics of what videos from YouTube the user has
seen.PersistentHTMLyt.innertube::requestsYouTubeRegisters a unique ID to keep
statistics of what videos from YouTube the user has
seen.PersistentHTMLytidb::LAST_RESULT_ENTRY_KEYYouTubeStores the user's video
player preferences using embedded YouTube
videoPersistentHTMLYtIdbMeta#databasesYouTubeUsed to track user’s interaction
with embedded content.PersistentIDByt-remote-cast-availableYouTubeStores the
user's video player preferences using embedded YouTube
videoSessionHTMLyt-remote-cast-installedYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-connected-devicesYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-device-idYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-fast-check-periodYouTubeStores the user's video
player preferences using embedded YouTube
videoSessionHTMLyt-remote-session-appYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-session-nameYouTubeStores the user's video player
preferences using embedded YouTube videoSessionHTML
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
We do not use cookies of this type.
[#IABV2_LABEL_PURPOSES#] [#IABV2_LABEL_FEATURES#] [#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_BODY_FEATURES#]
[#IABV2_BODY_PARTNERS#]
This website uses cookies to personalize content and ads, to provide social
media features and to analyze our traffic.
Cookies are small text files that can be used by websites to make a user's
experience more efficient. The law states that we can store cookies on your
device if they are strictly necessary for the operation of this site.
For all other types of cookies we need your permission. This site uses different
types of cookies. Some cookies are placed by third party services that appear on
our pages. Our Cookie Policy.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Your consent applies to the following domains: dig.sysdig.com, sysdig.com
Cookie declaration last updated on 16.07.23 by Cookiebot
"Absolutely the best in runtime security!"
"Runtime protection leader!"
"Sysdig Secure is drop-dead simple to use."
"Sysdig Secure is the engine driving our security posture."
"Especially strong runtime protection capability!"
* Products
* Back to main menu
* Security
* Sysdig Secure
Container, Kubernetes and Cloud Security
* Observability
* Sysdig Monitor
Kubernetes and Prometheus Monitoring
* Platform – 3rd Column Header – Hidden
* Why CNAPP?
* Integrations
* Pricing
* Solutions
* Back to main menu
* Security
* Vulnerability Management
* Posture Management
* Entitlement Management
* Threat Detection & Response
* Host Security
* ObservabilityView All
* Kubernetes Monitoring
* Prometheus Monitoring
* Custom Metrics
* Cloud Monitoring
* Cost Optimization
* Environments
* Kubernetes & Containers
* Serverless
* Amazon Web Services
* Google Cloud
* Microsoft Azure
* IBM Cloud
* View All
* Open Source
* Back to main menu
* Open Source – 1st Column Header – HIdden
* Sysdig and Open Source
* Projects
* Falco
* Open Policy Agent
* Sysdig Open Source
* Prometheus
* Why Sysdig
* Back to main menu
* Why Sysdig
* Why Runtime Insights
* Our Customers
* About Us
* Threat Research
* Compare Sysdig
* Crowdstrike
* Lacework
* Prisma Cloud
* Wiz
* Resources
* Back to main menu
* Resources – 1st Column Header – Hidden
* Blog
* Threat Research
* Education
* Content Library
* Events & Webinars
* Learn Cloud Native
* Training Portal
* Topics
* Container Security
* Cloud Security
* Monitoring
* Compliance
* Support
* Support
* Knowledgebase
* Documentation
* Submit a Ticket
* Sysdig Status
* Search
* Back to main menu
* Search for: Search
* Best Match
View all search results
* Log In
* Back to main menu
* Monitor
* US-East
* US-West
* EU-Central
* AWS-AP-Sydney
* GCP-US-West
* Secure
* US-East
* US-West
* EU-Central
* AWS-AP-Sydney
* GCP-US-West
* Log In – 3rd Column Header – HIdden
* Support
* Languages
* Back to main menu
* Language Header – Hidden
* Deutsch
* English
* Español
* Français
* Italiano
* 日本
* Start Free
* Get Demo
CLOUD DEFENSE IN DEPTH: LESSONS FROM THE KINSING MALWARE
By Nigel Douglas - JULY 4, 2023
SHARE:
content:
What is Defense in Depth and Why Should it be in Every Cloud Security Plan? How
an attacker moves from a Database to Cloud: Conclusion
Show Table of Contents + Hide −
Content
What is Defense in Depth and Why Should it be in Every Cloud Security Plan?
How an attacker moves from a Database to Cloud:
Conclusion
In the face of persistent data breaches and escalating cyber threats,
organizations are compelled to prioritize cloud defense in depth. These measures
are indispensable for protecting critical assets and upholding the integrity of
cloud-based systems. By establishing a comprehensive security plan,
organizations can effectively convey their commitment to security and lay a
solid foundation for a resilient and secure cloud environment.
In this blog post, we will delve into the profound strength and versatility
offered by open source, cloud-native tools, which play a pivotal role in
mitigating the lateral movement of malware, like Kinsing, within Kubernetes.
This form of malware poses a significant threat to databases operating in cloud
environments. Although we focus on Kinsing as a recent attack pattern, the
principles discussed here can be extended to other types of malware that target
cloud-native applications.
WHAT IS CLOUD DEFENSE IN DEPTH AND WHY SHOULD IT BE IN EVERY CLOUD SECURITY
PLAN?
To strengthen cloud security further, organizations must embrace the concept of
defense-in-depth. Cloud defense in depth extends beyond the generic constraints
of supply chain security and host/workload runtime security. It encompasses the
proactive implementation of multiple layers of security controls throughout an
organization’s cloud infrastructure.
The shift-left and shield-right methodologies have emerged as powerful practices
that organizations can adopt to enhance cloud security. Shift-left emphasizes
integrating security considerations early in the development process, enabling
developers to identify and address vulnerabilities at their root. By
incorporating security tools and practices such as static code analysis,
vulnerability scanning, and secure coding guidelines, organizations can
proactively eliminate potential risks before they propagate throughout the
application.
On the other hand, Shield-Right focuses on implementing security controls and
protections at runtime and in the operational phase of the application
lifecycle. It ensures that robust security measures are in place to shield the
application from attacks and malicious activities. Kubernetes, a popular
container orchestration platform, plays a crucial role in the Shield-Right
methodology. It enables organizations to secure their containerized applications
by leveraging features such as Role-Based Access Controls (RBAC), Kubernetes
Network Policies (KNP), and runtime monitoring through Falco.
HOW AN ATTACKER MOVES FROM A DATABASE TO CLOUD:
Let’s discuss an attack scenario that justifies the need for end-to-end
detections to secure cloud-native workloads. The incident involves the Kinsing
malware, which exploits vulnerabilities in container images and when
misconfigured, exposed PostgreSQL containers to breach Kubernetes clusters.
Kinsing, a Linux malware with a history of targeting containerized environments
for cryptomining, utilizes compromised server resources to generate illicit
profits for the threat actors.
If you’re unfamiliar with Kinsing malware, we provide dedicated resources to
help you understand these types of attacks. The operators behind Kinsing are
notorious for exploiting well-known vulnerabilities like Log4Shell.
Their objective is to gain initial access to Linux servers, regardless of
whether they are operating on-premises or in the cloud, by exploiting the two
standard options. The third point outlines potential techniques for lateral
movement towards the cloud environment.
1. Mitigating risk for misconfigured PostgreSQL databases
* Use known registries for container’s images
* Harden the network access to the server
* Scan images for vulnerabilities
* Patch on time
2. Mitigating risk in vulnerable container images
* Remove trust authentication
* Harden the network access to the database
* Remove default users, and extensive permissions
3. Mitigating lateral movements to the cloud
* Detect attempts to access sensitive credentials in Kubernetes
* Extend detection capabilities to cloud services
MITIGATING RISK FOR MISCONFIGURED POSTGRESQL DATABASES
When exploiting image vulnerabilities, the threat actors hunt for remote code
execution flaws that enable them to push their payloads. As noted in the
previous diagram, there are several mitigation strategies that could be applied,
such as vulnerability scanning for potentially vulnerable images, as well as
hardening your network security – each of which we will discuss in the context
of open source, cloud-native technologies.
USE KNOWN REGISTRIES FOR CONTAINER’S IMAGES
Using known registries for container images is crucial to avoid database
compromise because it helps ensure the integrity and security of the images used
in your environment. When pulling container images from trusted and reputable
registries, you can have more confidence in the authenticity and quality of the
images.
Known registries often have established security measures in place, such as
image scanning, vulnerability detection, and access controls, which help
mitigate the risk of deploying compromised or malicious images. By leveraging
open source tools like Trivy, you can enforce the use of known registries and
perform image scanning to identify vulnerabilities and security issues.
In the below example, it can scan a Docker image and enforce known registries:
trivy image --only-fixed-versions --clear-cache --exit-code 1 docker.io/postgresql:latest
Code language: Perl (perl)
Alternatively, tools like Docker Content Trust (DCT) provide image signing and
verification mechanisms to ensure the integrity and authenticity of container
images. You can set up a policy to enforce the use of signed images from known
registries. This can be achieved by creating a notary configuration file
(notary-config.json) with the list of trusted repositories and their associated
keys.
{
"trust_dir": "~/.docker/trust",
"remote_server": {
"url": "https://notary.example.com",
"root_ca": "/path/to/root-ca.crt"
},
"repositories": {
"docker.io/library": {
"default": {
"signing_keys": [
{
"key_id": "<your-key-id>",
"key_path": "~/.docker/trust/private/<keyname>.key"
}
]
...
Code language: Perl (perl)
HARDEN NETWORK ACCESS TO THE SERVER
Assuming your organization has failed to identify the misconfigured database
server, or assuming the database is not patched in time before being pushed into
a production environment that does not enforce “least privilege” networking
controls, it’s important to be able to detect the payload deployment from a
running database workload.
- rule: DB program spawned process
desc: >
a database-server related program spawned a new process other than itself.
This shouldn\'t occur and is a follow on from some SQL injection attacks.
condition: >
proc.pname in (db_server_binaries)
and spawned_process
and not proc.name in (db_server_binaries)
and not postgres_running_wal_e
and not user_known_db_spawned_processes
output: >
Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
program=%proc.cmdline pid=%proc.pid parent=%proc.pname container_id=%container.id image=%container.image.repository)
priority: NOTICE
tags: [host, container, process, database, mitre_execution, T1190]
Code language: Perl (perl)
The provided Falco detection rule reveals that we can identify instances where
the compromised PostgreSQL database spawns a process other than itself. This is
a clear indication of compromise associated with the Kinsing malware or
potential SQL injection attacks on databases.
SCAN IMAGES FOR VULNERABILITIES
Scanning images for vulnerabilities in the CI/CD pipeline and ensuring their
origin from known registries are two crucial practices that should not be
overlooked. However, one often neglected aspect is the runtime scanning of
in-use containers to identify vulnerabilities.
To assess the vulnerability status of your PostgreSQL database, the open source
tool Anchore Engine is highly recommended. Anchore Engine offers extensive image
scanning capabilities and vulnerability analysis specifically designed for
containers during runtime, providing valuable insights into the security posture
of your PostgreSQL database.
Pull the container image you want to scan using Docker:
docker pull postgresql:latest
You can then scan the pulled image using Anchore Engine. The ‘add‘ action is
used to add a container image to Anchore Engine for analysis. On the other hand,
the ‘wait‘ action quite literally waits for the analysis of a specific image to
complete. Finally, the ‘content‘ command retrieves the detailed information
about the content of an image.
docker run -e ANCHORE_CLI_URL=http://<anchore-engine-host>:8228/v1 --rm anchore/anchore-cli image add postgresql:latest
docker run -e ANCHORE_CLI_URL=http://<anchore-engine-host>:8228/v1 --rm anchore/anchore-cli image wait postgresql:latest
docker run -e ANCHORE_CLI_URL=http://<anchore-engine-host>:8228/v1 --rm anchore/anchore-cli image content postgresql:latest
Code language: Perl (perl)
Of course, you’ll need to replace <anchore-engine-host> with the hostname or IP
address of your Anchore Engine instance. Once you have done this, Anchore Engine
will analyze the image and provide a detailed vulnerability report, including
information about any vulnerabilities found in the image’s packages and
dependencies. This confirms if your running containerized database can be
compromised by the Kinsing malware.
PATCH ON TIME
Having a robust patch management strategy for databases in Kubernetes remains
crucial despite the rollout process for containers. While containers provide
isolation and encapsulation, vulnerabilities can still exist within container
images, including the database software. Therefore, it’s vital to regularly
update and patch the databases to address security vulnerabilities and stay
protected against potential exploits.
However, due to the dynamic and automated nature of container deployment in
Kubernetes, relying solely on manual patching may not be sufficient. This is
where a tool like Gatekeeper comes into play. By leveraging Gatekeeper, you can
enforce policies that reject containers with failed Common Vulnerabilities and
Exposures (CVE) scores, ensuring that only containers with acceptable security
levels are deployed.
This proactive approach complements the patch management strategy, providing an
additional layer of defense against potential security risks in containerized
databases. To reject known CVEs at runtime using OPA Gatekeeper, you can define
policies that check for specific vulnerabilities and enforce restrictions on the
deployment of resources that have those vulnerabilities. These policies can be
written using the Rego language, which is the policy language used by OPA.
package kubernetes.cve_rejection
deny[msg] {
input.kind == "Deployment"
input.apiVersion == "apps/v1"
input.metadata.labels.app == "postgresql"
input.spec.template.spec.containers[_].image == "vulnerable-image:latest"
msg = "Deployment of my-app with vulnerable image is not allowed."
}
Code language: Perl (perl)
In this example, the policy checks if a deployment resource with the label app:
postgresql that is using the image vulnerable-image:latest is being created. If
such a deployment is detected, the policy triggers and rejects it with a
corresponding error message.
Gatekeeper creates a ConstraintTemplate manifest that defines the policy and can
be used to create Constraints that are applied to specific resources. By
utilizing OPA Gatekeeper in this manner, you can enforce runtime rejection of
known CVEs by defining and applying custom policies that match your specific
vulnerability criteria.
PREVENTING EXPLOITATION OF CONTAINER IMAGES
To prevent exploitation of container images, it is essential to implement key
security measures. These include removing trust authentication, securing network
access, removing default users, and enforcing tight RBAC controls. By taking
these steps, you can enhance the security of your containerized databases and
reduce the risk of unauthorized access and potential breaches.
REMOVE TRUST AUTHENTICATION
One of the most common misconfigurations the attackers leverage is the ‘trust
authentication’ setting, which instructs PostgreSQL to assume that “anyone who
can connect to the server is authorized to access the database.” Where possible,
it’s strongly recommended to disable this setting.
An open source tool that can help enforce authentication settings and security
policies in PostgreSQL is pgAudit. This tool provides detailed logging and
monitoring capabilities for PostgreSQL, including the ability to log and analyze
authentication attempts and database activity.
By configuring pgAudit, you can gain insights into authentication patterns and
identify any unauthorized access attempts. However, Falco works to detect
suspicious process activity from the Postgres database. By working together,
they address the authentication behavior and the process behavior.
HARDEN THE NETWORK ACCESS TO THE DATABASE
Another mistake is assigning an IP address range that is far too wide, including
any IP address the attacker may be using to give them access to the server. This
means that Kubernetes Network Policies, and network visibility in general, are
heavily required for both the vulnerable image and the misconfigured PostgreSQL
database.
Attacks start with scanning of a wide range of IP addresses, looking for an open
port that matches the default port of specific, popular web applications like
WordPress. The general best practice in these cases would be to minimize access
to exposed containers by using IP allow lists and following least privilege
principles.
By default, all pods within a Kubernetes cluster can communicate with each other
without any restrictions. Kubernetes Network Policies help you isolate the
microservice applications from each other to limit the blast radius and improve
the overall security posture.
Thankfully, Kubernetes Network Policies allow users to generate
“least-privilege” policies to protect your workloads. You need to understand
what port and IP traffic you wish to allow for your PostgreSQL workload. That
way, we only allow what we are expecting, regardless of whether the workload is
compromised or not.
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
Metadata:
name: postgresql-policy
Spec:
Selector:
matchLabels:
app: postgresql
Ingress:
- action: Allow
protocol: tcp
Source:
selector: app=app1
Destination:
Ports:
- 5432
Egress:
- action: Allow
protocol: tcp
Destination:
selector: app=frontend
Source:
Ports:
- 5432
Code language: Perl (perl)
The above policy targets pods labeled with app: postgresql. The policy only
allows ingress (incoming) traffic on port 5432 (the default port for PostgreSQL)
from pods labeled with app: frontend. It also allows egress (outgoing) traffic
to pods labeled with app: frontend on port 5432.
This network policy also assumes that you have already deployed and labeled your
PostgreSQL and frontend pods accordingly. You will need to adjust the policy
based on your deployment configuration.
Native Kubernetes Network Policies do not require any additional networking
requirements other than the (Container Networking Interface) CNIs already
supported. The example we provided was for Calico Network Policies. You can use
either Calico, Cilium, or the default Network Policy implementation to achieve
this security goal.
A second “Default-Deny” policy is required to ensure all traffic that wasn’t
already allowed in the packet pipeline should be dropped. This is a global
default deny rule for a cluster that excludes CoreDNS (UDP port 53) traffic from
being blocked. If this is too broad, you can create a default-deny on a per
network namespace-level.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
Metadata:
name: deny-app-policy
Spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system"}
Types:
- Ingress
- Egress
Egress:
- action: Allow
protocol: UDP
Destination:
selector: 'k8s-app == "kube-dns"'
Ports:
- 53
Code language: Perl (perl)
Network Policies certainly narrowed the blast radius of the attack, but they do
not address the initial compromise. That’s where we need a defense-in-depth
strategy powered by deep intrusion detection capabilities with Falco. If a
packet is being dropped, we need to know why. Is it a suspicious network
connection? IPTables won’t give us this kind of context on its own:
- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
desc: Detects traffic that is not to an authorized server process and port.
condition: >
inbound_outbound and
container and
container.image.repository in (allowed_image) and
not proc.name in (authorized_server_binary) and
not fd.sport in (authorized_server_port)
enabled: false
output: >
Network connection outside authorized port and binary
(command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
image=%container.image.repository)
priority: WARNING
tags: [container, network, mitre_discovery, TA0011]
Code language: Perl (perl)
REMOVE DEFAULT USERS, AND EXTENSIVE PERMISSIONS
Default users play a crucial role in enhancing the security of a PostgreSQL
database. It is important to eliminate default users to minimize the risk of
unauthorized access or potential security breaches. Default users often have
broad permissions and known credentials, making them attractive targets for
attackers.
However, it is equally, if not more, important to enforce granular RBAC controls
in Kubernetes to limit the blast radius. By implementing RBAC, you can assign
specific roles and permissions to individual users or service accounts, ensuring
they have only the necessary privileges required to perform their tasks.
Another open source tool that could help enforce these granular RBAC controls is
the Kubernetes RBAC Manager. It allows you to define and manage RBAC policies
declaratively using custom resources.
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
Metadata:
name: database-access
Spec:
Roles:
- name: database-reader
Rules:
- apiGroups: ["postgres.databases.io"]
resources: ["database"]
verbs: ["get", "list"]
- name: database-writer
Rules:
- apiGroups: ["postgres.databases.io"]
resources: ["database"]
verbs: ["get", "list", "create", "update", "delete"]
roleBindings:
- name: read-access-binding
Subjects:
- kind: User
name: nigel
roleName: database-reader
- name: write-access-binding
Subjects:
- kind: User
name: daniel
roleName: database-writer
Code language: Perl (perl)
RBAC is defined to create two roles:
* database-reader with read-only access
* database-writer with read and write access to the database resource
The RoleBindings then associate the roles with specific users (Nigel and Daniel
in this case). With Kubernetes RBAC Manager, you can ensure that only authorized
users have the necessary permissions within Kubernetes, limiting the blast
radius and maintaining a more secure environment.
By directly capturing system call events from the host in real-time, the Falco
agent enables prompt alerting. If your PostgreSQL database has fallen victim to
the Kinsing malware, it is important to note that this malware primarily targets
Linux-based systems and Docker containers. Typically, the objective of the
Kinsing malware is to do harm within Kubernetes – not to expand into the cloud.
However, if your Kubernetes environment has been compromised, how can you
prevent adversaries from advancing from cloud-native workloads into the cloud?
This becomes particularly relevant when your Kubernetes cluster is a managed
service in the cloud, such as Elastic Kubernetes Service (EKS) on AWS. These
considerations are integral to an end-to-end security plan, as it emphasizes the
need to secure not only the image pipeline and container runtime, but also the
cloud services hosting your cloud-native workloads.
PREVENTING LATERAL MOVEMENT TO THE CLOUD
It’s worth noting that movement from a compromised PostgreSQL database to the
cloud would involve leveraging additional techniques and exploiting
vulnerabilities in the cloud infrastructure. Here’s a generalized scenario that
an adversary could usually follow to gain access to the cloud account that hosts
the Kubernetes clusters and PostgreSQL workload:
1. The initial compromise has already been discussed.
The adversary has gained access to the PostgreSQL database through various
means, such as exploiting vulnerabilities, weak passwords, or insecure
configurations.
2. Now, the adversary needs to escalate privileges within the compromised
database to gain broader access and control over the system.
This can involve exploiting privilege escalation vulnerabilities, but is
usually achieved by leveraging weak database configurations.
3. Assuming they have successfully identified the weaknesses in the database
configuration or exploited a known vulnerability, they can perform
reconnaissance to gather information about the targeted cloud environment.
This includes identifying the cloud provider, understanding the network
architecture, and mapping out potential entry points.
Remember, they are doing all of this on the host server that is hosting the
PostgreSQL DB. Falco is therefore able to detect instances where the attacker is
trying to search for private keys or sensitive credentials on those systems.
DETECT ATTEMPTS TO ACCESS SENSITIVE CREDENTIALS IN KUBERNETES
In an attempt to steal private keys or passwords from a Kubernetes cluster, an
adversary might utilize the grep command to search through various files, logs,
or configuration data within the cluster. By leveraging regular expressions,
they can identify patterns associated with private keys or passwords, extracting
sensitive information that could grant them unauthorized access to the cluster’s
resources and compromise the security of the entire environment.
- rule: Search Private Keys or Passwords
desc: Detects grep private keys or passwords activity.
condition: >
(spawned_process and
((grep_commands and private_key_or_password) or
(proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa")))
)
output: >
Grep private keys or passwords activities found
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name
image=%container.image.repository:%container.image.tag)
Priority: WARNING
tags: [host, container, process, filesystem, mitre_credential_access, T1552.001]
Code language: Perl (perl)
Assuming you don’t have real-time detection capabilities for this sort of
behavior, the adversary could exploit cloud infrastructure vulnerabilities
undetected, such as weak access controls, exposed management interfaces, or
unpatched software. Kinsing may attempt to exploit these weaknesses to gain
unauthorized access to the cloud infrastructure. This further reinforces the
need for real-time detections.
EXTEND DETECTION CAPABILITIES TO CLOUD SERVICES
Extending detection capabilities to the cloud is essential to enhance overall
security in Kubernetes environments. By correlating exfiltration attempts in
Kubernetes with suspicious activities in the cloud, such as unauthorized
deletion of S3 bucket encryption, organizations can gain a comprehensive view of
potential security incidents and detect sophisticated attack patterns.
- rule: Delete Bucket Encryption
desc: Detects the deletion of configurations used to encrypt bucket storage.
Condition:
ct.name="DeleteBucketEncryption" and not ct.error exists
Output:
A encryption configuration for a bucket has been deleted
(requesting user=%ct.user,
requesting IP=%ct.srcip,
AWS region=%ct.region,
bucket=%s3.bucket)
priority: CRITICAL
source: aws_cloudtrailCode language: Perl (perl)
By extending detection capabilities to the cloud, organizations can establish a
holistic, cloud defense in depth security approach that covers both Kubernetes
and cloud environments, ensuring a stronger defense against emerging threats and
reducing the likelihood of data exfiltration and unauthorized access.
CONCLUSION
To mitigate the risks associated with Kinsing malware attacks, organizations can
adopt a comprehensive, open source approach that combines shift-left security
practices and robust defensive measures. This involves implementing image
scanning for vulnerabilities during the pipeline phase and continuously
monitoring running containers for potential exploits.
It is crucial to acknowledge the potential for attacks originating in
cloud-native, containerized workloads, such as PostgreSQL, to propagate within
Kubernetes and potentially extend into the cloud. While attacker techniques may
evolve over time, adhering to these best practices provides a solid foundation
for maintaining a robust security plan.
By following these guidelines, organizations can have greater confidence in the
effectiveness of their security measures. For further insights, the Sysdig
webinar on the value of combining shift-left and shield-right methodologies can
provide valuable information:
https://go.sysdig.com/WebShiftCloudSecurityEMEA.html.
RELATED CONTENT
PREVENTING CLOUD AND CONTAINER VULNERABILITIES - SYSDIG
STRENGTHEN CYBERSECURITY WITH SHIFT-LEFT AND SHIELD-RIGHT PRACTICES - SYSDIG
UNDERSTANDING CLOUD SECURITY - SYSDIG
WHAT IS THE MITRE ATT&CK FRAMEWORK FOR CLOUD? 10 TTPS TO CHECK FOR
Subscribe and get the latest updates
Submit
*
Also keep me informed of Sysdig news + updates
Thank You For Signing Up!
This form failed to load.
An ad blocking extension or strict tracking protection is preventing this form
from loading. Please temporarily disable ad blocking or whitelist this site, use
less restrictive tracking protection, or enable JavaScript to load this form. If
you are unable to complete this form, please email us at sales@sysdig.com and a
sales rep will contact you.
* Products
* Sysdig Secure
* Sysdig Monitor
* Partners
* Sysdig Partners
* Deal Registration
* Partner Signup
* Partner Locator
* Integrations
* Company
* About Us
* Leadership
* Careers
* Newsroom
* Contact Us
* Legal
* Sitemap
* Support
* Knowledgebase
* Documentation
* Submit a Ticket
* Sysdig Status
* Customer Success
* * Twitter
* Github
* Slack
* Youtube
* LinkedIn
® Copyright 2023 Sysdig, Inc. All Rights Reserved.
* Privacy Policy
* Subprocessors
* Trust Center