Your Backstop in Hardening Against Runtime Threats

March 25, 2023

It is important to find a way hardening your computer against runtime threats. Fortunately, there are plenty of resources available to help you get started. This article discusses some of the issues that you might face and provides recommendations to help you deal with them.

Problems

One of the more interesting tasks involved in running a modern day container cluster is defending against malware laden containers – and it is no small feat. In particular, applications that attempt to modify the container filesystem will have their work cut out for them. Fortunately, the NSA and CISA have provided a helpful checklist and checklist to help mitigate the risks associated with running a micro-services based container environment. The list is not exhaustive, but it should provide a solid foundation on which to build your container ecosystem. A good start is to implement a standardised set of best practices that can be refactored and re-evaluated when a new threat erupts.

Recommendations

Hardening against runtime threats means ensuring that your code is not susceptible to exploits. This can be done by separating parts of your application into multiple processes, using a low-level mechanism to restrict privileges, and decomposing your application into several components. You should also review your applications for vulnerabilities and update their dependencies to avoid introducing vulnerabilities.

It is important to protect your container images and your runtime from security loopholes. There are several methods for doing this, including dependency scanning, limiting access to running containers, and running the container inside a hypervisor. You can also use package management tools to provide warnings about problematic dependencies.

An application’s components should be separated from one another, and if they have a common interface, they should be granted different capabilities. This will reduce the risk of a flaw affecting all of the components. If some components require elevated privileges, you can limit them to run on a separate machine or on the same server.

References

References for hardening against runtime threats include memory protections and the use of return oriented programming techniques. These measures can limit the ability of an attacker to change the control of a mutable object during the course of a method. Other methods of limiting a container’s execution include preventing tampering with the container’s file system. The NSA/CISA Kubernetes Hardening Guidance highlights the need to use readOnlyRootFileSystem as a way to limit the damage of container tampering.

The NSA/CISA Kubernetes hardening guidance also recommends the use of tmpfs volume mounts to limit the read/write activity of an application. This will also help prevent crash situations. Having a read-only filesystem is also recommended to protect against anomalous behavior or post-exploitation activities.

In addition, it is advisable to separate programmatic interfaces from ease-of-use features, such as the ability to perform actions without a user’s input. While these can provide valuable convenience, they are not always appropriate for use in programming.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


A Guide to Cybersecurity in a Virtual Office

A Guide to Cybersecurity in a Virtual Office

Explore the comprehensive guide to cybersecurity in a virtual office, covering essential strategies, best practices, and tools to safeguard your digital assets. Learn how to protect sensitive data, mitigate risks, and ensure the utmost security in today's remote work...

GnuTLS Follows OpenSS

GnuTLS Follows OpenSS

GnuTLS library adheres to the OpenSS (Open Source Security Suite) standard, a significant departure from the former GNU policy. Emacs becomes more secure by adhering to a more robust standard for cryptographic libraries. It also helps avoid confusion when working with...

Zero-day vulnerability in Fortinet FortiOS

Zero-day vulnerability in Fortinet FortiOS

Recently, cybercriminals and nation-states have been exploiting a zero-day vulnerability in Fortinet FortiOS' operating system to launch targeted cyberattacks against government entities. The flaw, CVE-2022-40684, allows attackers to bypass authentication by sending...

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us