Home Features Thwarting Graboid and Protecting Containers with Zero Trust

Thwarting Graboid and Protecting Containers with Zero Trust

zero trust

By Dan Perkins, director of product management, Edgewise Networks

Recently, security researchers discovered a new worm that targets unsecured Docker daemons that are exposed to the Internet. The Unit 42 researchers at Palo Alto Networks estimate that it has already infected more than 2,000 containers, downloading a malicious Docker image that contains cryptomining software. The worm then queries for other vulnerable hosts, replicates itself and infects them as well.

The Unit 42 researchers at Palo Alto Networks named the worm “Graboid” in honor of the 1990 Kevin Bacon film because, as they write, it “behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.” That said, the researchers note that Graboid could easily be adapted as a delivery mechanism for other attacks, such as ransomware or data exfiltration, so it’s well worth looking into how to defend against it.

Certainly, the best way to protect Docker containers from this worm is to ensure they’re properly configured and not exposed to the public Internet. But relying on perfect configuration for container security isn’t a strong security stance — people make errors, so it’s critical to take measures that will secure the containers even if they are misconfigured.

Zero trust in containers through software identity

Zero trust provides a good model for defending against this worm and similar threats, because it treats all internal communications as potentially hostile and, so, can stop unauthorized lateral movement inside networks. In Zero Trust, all communications between two network assets must be explicitly pre-authorized.

Zero trust is enabled by microsegmentation, but that’s very difficult to do in containers because traditional methods of microsegmenting a network depend on trusted IP addresses, and in autoscaling environments like containers and the cloud, IP addresses are ephemeral. IT would have to constantly update policies as IP addresses change, which is not only labor-intensive, but also carries a high risk of error, which could result in the creation of a vulnerability. The end result is a set of highly complex policies that are extremely cumbersome to manage.

There is a new model for microsegmentation, however, that relies on the identity of software, hosts and devices. In this way, we can separate the control plane from the network layer to enable the creation of policies that don’t break when the network changes. In this approach to microsegmentation, each network asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary, the UUID of the bios or serial numbers of processors. Because the identity is based on intrinsic attributes, this method prevents spoofed or altered software, devices and hosts from communicating.

The process for microsegmenting Docker environments

Here’s how microsegmentation for zero trust would work for containers using an identity model. First, IT needs to conduct an asset and communications pathway inventory, a complex task that’s best automated using artificial intelligence (AI) or machine learning (ML). Once complete, the security team should then identify unnecessary pathways and eliminate them to reduce the attack surface. Typically, more than 90 percent of a network’s communications pathways can be shut down without having any impact on the production environment. Next, IT must build identity-based policies that will essentially act as micro-perimeters around each asset. Again, policies are best created by leveraging AI and ML to ensure that the smallest number of policies cover the greatest number of sensitive assets.

To combat Graboid and other worms aimed at containers, the goal should be to prevent self-propagation through policies that block all inbound connections to the Docker daemon and protect against unauthorized access via secure shell (SSH) and other admin tools, such as Swarm and Kubernetes. The focus is to control admin tool access when managing Docker hosts at scale, blocking everything else from accessing Docker servers. Additionally, through behavioral analysis, the ML / AI platform could identify cryptomining containers as malicious based on network scanning behavior.

With the advent of identity-based microsegmentation, security teams can finally extend zero trust to autoscaling environments such as containers, which will not only stop Graboid, but also any other threat from laterally moving from one host to another. It should become a standard security measure for protecting workloads in all enterprise networks, whether on-premises, in the cloud or in containers.

About the Author

Dan PerkinsDan Perkins is Director of Products and Solutions for Edgewise Networks, where he oversees the direction and development of Edgewise’s zero-trust platform. Prior to Edgewise, Dan was Director of Product Management at Infinio, where he was responsible for product vision and the ongoing quality and applicability of Infinio’s solution. He also previously served in several software engineering and quality assurance roles for Citrix. Dan holds a B.S. in computer engineering from Northeastern University.


CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.