Your Backstop in Hardening Against Runtime Threats

March 25, 2023

It is important to find a way hardening your computer against runtime threats. Fortunately, there are plenty of resources available to help you get started. This article discusses some of the issues that you might face and provides recommendations to help you deal with them.

Problems

One of the more interesting tasks involved in running a modern day container cluster is defending against malware laden containers – and it is no small feat. In particular, applications that attempt to modify the container filesystem will have their work cut out for them. Fortunately, the NSA and CISA have provided a helpful checklist and checklist to help mitigate the risks associated with running a micro-services based container environment. The list is not exhaustive, but it should provide a solid foundation on which to build your container ecosystem. A good start is to implement a standardised set of best practices that can be refactored and re-evaluated when a new threat erupts.

Recommendations

Hardening against runtime threats means ensuring that your code is not susceptible to exploits. This can be done by separating parts of your application into multiple processes, using a low-level mechanism to restrict privileges, and decomposing your application into several components. You should also review your applications for vulnerabilities and update their dependencies to avoid introducing vulnerabilities.

It is important to protect your container images and your runtime from security loopholes. There are several methods for doing this, including dependency scanning, limiting access to running containers, and running the container inside a hypervisor. You can also use package management tools to provide warnings about problematic dependencies.

An application’s components should be separated from one another, and if they have a common interface, they should be granted different capabilities. This will reduce the risk of a flaw affecting all of the components. If some components require elevated privileges, you can limit them to run on a separate machine or on the same server.

References

References for hardening against runtime threats include memory protections and the use of return oriented programming techniques. These measures can limit the ability of an attacker to change the control of a mutable object during the course of a method. Other methods of limiting a container’s execution include preventing tampering with the container’s file system. The NSA/CISA Kubernetes Hardening Guidance highlights the need to use readOnlyRootFileSystem as a way to limit the damage of container tampering.

The NSA/CISA Kubernetes hardening guidance also recommends the use of tmpfs volume mounts to limit the read/write activity of an application. This will also help prevent crash situations. Having a read-only filesystem is also recommended to protect against anomalous behavior or post-exploitation activities.

In addition, it is advisable to separate programmatic interfaces from ease-of-use features, such as the ability to perform actions without a user’s input. While these can provide valuable convenience, they are not always appropriate for use in programming.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Preparing Businesses for AI-Powered Security Threats

Preparing Businesses for AI-Powered Security Threats

Preparing businesses for AI-powered security threats. Stay ahead of evolving cybersecurity challenges with proactive strategies and advanced technologies. When AI goes wrong, the repercussions can be devastating. They range from the loss of life if an AI medical...

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs’ Risk with Data Broker Management

Reducing CISOs' risk with data broker management. Explore strategies to enhance cybersecurity and safeguard sensitive information in the digital landscape. Every time you use a search engine, social media app or website, buy something online or even fill out a survey...

Vulnerability Prediction with Machine Learning

Vulnerability Prediction with Machine Learning

Advance vulnerability prediction with machine learning. Explore how AI can enhance proactive cybersecurity measures to mitigate potential risks. Machine learning is a field devoted to understanding and building methods that let machines “learn” – that is, methods that...

Recent Case Studies

Mid-size US based firm working on hardware development and provisioning, used DevOps-as-a-...
One of the fastest growing providers of wealth management solutions partnered to build a m...
A US based software startup working on the advancements in genomics diagnostics and therap...

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us