Aqua Dynamic Threat Analysis (DTA) is the industry’s first container sandbox solution that dynamically assesses the risks of container images before they run. Aqua DTA runs container images in an isolated sandbox environment that monitors and detects indicators of compromise (IOC) such as container escapes, malware, crypto miners, code injection backdoors, network anomalies, and more.
Container images are a growing vector for external code to enter an organization. There is currently no practical way to test what an image will actually do when activated. Organizations are taking on a lot of risk by using externally built images. Aqua DTA provides a way to safely expose the risks an image might bring to your environments.
The following terms are key in understanding the scan results:
Behaviors and Findings: Aqua DTA runs and monitors container image behaviors by running the container in an isolated sandbox environment. The behaviors are classified by category and risk severity, so you can understand their context.
In addition, DTA provides evidence to substantiate each behavior. For example, a possible behavior might be “Detection of network activity without performing DNS lookup”; the evidence for this behavior could include the ID of the process that initiated the network activity, as well as the destination IP address.
Behaviors categories
Each behavior is classified by one of 5 categories. To align with the MITRE attack framework, each category is mapped to one or more MITRE categories.
Behavior category | Description | MITRE category mapping |
Initial Execution | Consists of techniques that use various entry vectors to gain their initial foothold Example: Crypto Mining binaries found in the image | Initial access, Execution |
Weaponization | Includes unusual techniques to gain more control Example: Privilege escalation and credential access | Persistence, Privilege escalation, Defense evasion, Credential access |
Propagation | Discovering local or remote resources to exploit them or perform lateral movement Example: Executing "Shodan search" on internet-connected devices in runtime | Discovery, lateral movement |
Communication | Suspicious network activity Example: Accessing an unreachable IP address might indicate communication with a C&C | Command and control |
Collection & Exfiltration | Collecting resources and reaching an end-game objective Example: Resource hijacking to validate transactions of cryptocurrency networks and earn virtual currency | Collection, Exfiltration, Impact |