Aqua Dynamic Threat Analysis (DTA) is the industry’s first container sandbox solution that dynamically assesses the risks of container images before they run. Aqua DTA runs container images in an isolated sandbox environment that monitors and detects indicators of compromise (IOC) such as container escapes, malware, crypto miners, code injection backdoors, network anomalies, and more.
Container images are a growing vector for external code to enter an organization. There is currently no practical way to test what an image will actually do when activated. Organizations are taking on a lot of risk by using externally built images. Aqua DTA provides a way to safely expose the risks an image might bring to your environments.
The following terms are key in understanding the scan results:
Behaviors and Findings: Aqua DTA runs and monitors container image behaviors by running the container in an isolated sandbox environment. The behaviors are classified by category and risk severity, so you can understand their context.
In addition, DTA provides evidence to substantiate each behavior. For example, a possible behavior might be “Detection of network activity without performing DNS lookup”; the evidence for this behavior could include the ID of the process that initiated the network activity, as well as the destination IP address.
Each behavior is classified by one of 5 categories. To align with the MITRE attack framework, each category is mapped to one or more MITRE categories.
MITRE category mapping
Consists of techniques that use various entry vectors to gain their initial foothold
Example: Crypto Mining binaries found in the image
Initial access, Execution
Includes unusual techniques to gain more control
Example: Privilege escalation and credential access
Persistence, Privilege escalation, Defense evasion, Credential access
Discovering local or remote resources to exploit them or perform lateral movement
Example: Executing "Shodan search" on internet-connected devices in runtime
Discovery, lateral movement
Suspicious network activity
Example: Accessing an unreachable IP address might indicate communication with a C&C
Command and control
Collection & Exfiltration
Collecting resources and reaching an end-game objective
Example: Resource hijacking to validate transactions of cryptocurrency networks and earn virtual currency
Collection, Exfiltration, Impact