Skip navigation
All Places > RSA Labs > Blog > 2017 > September
2017

Web applications and web services are probably the most commonly produced type of software, and they are increasingly being developed and deployed as containers. Among the top downloaded container images on the public Docker Hub are many related to web application development, such as nginx, MySQL, PostgreSQL, the Apache HTTP server, Ruby, PHP, Tomcat, and Django.

 

This post walks through an example scenario of detecting a web application attack using Project Syn. The scenario is admittedly simple and contrived, but we believe it's illustrative of how Syn can help in the real world.

 

Setup

In our scenario we use the Damn Vulnerable Web Application (DVWA) as the web app to be exploited. The application is intentionally riddled with vulnerabilities and is often used in security pen-test training. We deploy the entire web app, based on the LAMP stack, in a single Docker container. (Typically a web application would be deployed as many containers but a single container is sufficient for our purposes.)

 

We also deploy the Project Syn container side-by-side with the DVWA container on the same Docker host. The Project Syn container collects security-related data about other containers on the same host (in this case the DVWA container) and forwards them to the Syn cloud service for analysis and alerting.

 

Here's the output of docker ps:

 

Exploit, Payload Delivery and Execution

Among the many vulnerabilities in the DVWA is one that permits the upload and execution of malicious code disguised as image files.

 

 

We use the OWASP Zed Attack Proxy to exploit the vulnerability to install a malicious PHP file, bad.php, and execute it. The PHP file contains a small bit of code that when executed launches a Python process that connects to an external IP hosting a Remote Admin Tool (RAT). The Python process downloads a full payload from the external IP and executes it, giving the operator of the RAT full control over the container.

 

 

The Syn service raises alerts when it detects the launching of the malicious Python process:

 

 

 

In addition, the Syn service raises alerts when it detects network traffic to the malicious external IP on ports 8080 and 443:

Data Exfiltration

Once the payload is installed, the operator of the RAT has full control over the container and can do any number of things. In our case, we are using the open source Pupy RAT tool. We start an interactive shell on the container,  dump the MySQL database to a file, and download it.

 

 

The Syn service detects the anomalous execution of the mysqldump process:

 

The Syn service also detects that data exfiltration through the producer-consumer ratio (PCR) metric.

 

The PCR metric tracks a normalized ratio of network bytes in and out of a component. Producers (PCR value between 0 and 1) have more data flowing out than in, while consumers (PCR value between -1 and 0) have more data flowing in than out. Components tend to have pretty stable PCR values over time.

 

In our scenario, the Syn service detected a significant change in the DVWA container's PCR. It changed from being a moderate producer (.613) to being a strong producer (.979) at the moment the database dump was downloaded.

 

Conclusion

 

The beauty of containers is that they are designed to be limited in function and behavior. As such, from a security perspective, we believe we can precisely model what the expected/normal behavior for any container should be, and raise targeted alerts when anomalies arise. We walked through a simplified scenario above of using Project Syn to detect the exploitation of a containerized web application.

 

If you're interested in giving Project Syn a spin, check out https://syn.rsa.com or the Getting Started video. Feedback is welcome!

Brian Girardi

WTF is WTF?

Posted by Brian Girardi Employee Sep 7, 2017

Dynamic analysis. Sandboxing. Is that all we got? Am I right?!?

 

Fact. Sandboxing is a necessity to understand malware behavior. It’s the defacto standard for our industry. However, for the average enterprise security team it feels overwhelming to consistently operationalize. In addition, for security vendors trying to keep up with the millions of samples that emerge daily, the infrastructure and expense needed to support and scale long-term may have no ceiling. Thousands of virtual hosts, running for several minutes each, not to mention deception techniques, dynamic IoC's, etc., etc., etc., the long-term math to keep ahead of the malware problem just doesn’t seem to add up.

 

The concept for What's this file? was born from that perspective. Can we accurately detect and classify known and unknown malware without ever executing it? It seemed like a worthy challenge for RSA Labs.

 

RSA Labs developed novel techniques to identify and classify malware, and we packaged them into a cloud service that operates like your typical multi-scanner, but its FAR from typical in approach. In addition, we bundled in a light-weight static-analysis UX to round out what we believe is a useful tool for security analysts.

 

What makes What's this File? different from other multi-scanner type services is:

  1. WTF does not execute the samples you submit.
  2. WTF does not use AV engines for analysis.
  3. WTF uses patented Attack Vector Inspection to identify malware droppers.
  4. WTF uses patented Malware Genealogy to identify malware from its descendants.
  5. WTF gives the analyst the ability to inspect hundreds of extracted file characteristics.

 

We would greatly appreciate your feedback on its effectiveness, we think it is pretty cool! If you can fool the service let us know. And, WTF is free to use!

 

 

Brian Girardi
VP, RSA labs

Deployments of micro services and applications alike is changing rapidly, moving towards container based environments.  As this paradigm shift happens, similar to the paradigm shift with the advent of VM’s the IT security paradigm must also shift.  RSA labs created Project Syn as a test bed for enabling visibility and threat detection in Docker container environments.   We believe that container based technologies will be a well adopted way for IT, Devops and developers alike to create, manage and distribute new technologies.  With every new technological advancement, there comes inherent security risk. 

 

Project Syn can help!  If you’re a Netwitness for Logs customer, great, we can feed alert data directly into Netwitness.  If not, that’s cool too!   Our online dashboard will allow you to monitor the health of your Docker Hosts, monitor alerts and drill down into pertinent meta data to help gain visibility into the threats your environments are facing.  Advanced Behavioral Analytics techniques are being developed from our data science group to ensure the alerts are fined tuned to the latest threats.  We also leverage RSA Live Connect for current known malicious website blacklist data. 

 

Project Syn works hard to protect your Docker Environments, but as always, there’s room for improvement!  Feedback is encouraged!  We’re always looking for ways to improve our value to our customers!  Best of all, Project Syn is free of charge!  All we ask is you install our lightweight container in your Docker environment and we’ll do the rest!

 

Interested?  Please visit https://syn.rsa.com for more information and to request access!

 

Thanks!

RSA Labs team!