Announcing StackRox Detect and Respond 2.0 with StackRox Adversarial Intent Model

Today, we are excited to announce the release of StackRox Detect and Respond 2.0, our container-native runtime security product, and StackRox Adversarial Intent Model, the foundation for our ongoing threat research and threat detection strategy.

While our previous 1.3 release focused on providing greater flexibility, configurability, and scalability for customers, version 2.0 expands the breadth and depth of our threat detection capabilities and adds advanced automation features to make it easier for enterprise customers to protect their container environments, whether they are running on-premise or in popular cloud service providers such as Amazon Web Services (AWS), Google Compute Platform (GCP), Microsoft Azure and others.

Here are the some of the feature highlights of StackRox Detect and Respond 2.0. You can also learn more by joining our webinar on Thursday, February 15th, 2018.

StackRox Adversarial Intent Model (AIM)

StackRox has assembled a world-class team of security researchers, hailing from elite organizations such as Palo Alto Networks, FireEye, Microsoft, Oracle, and the National Security Agency (NSA). Over the last three years, we have studied the nascent and rapidly-evolving container threat landscape in collaboration with CISOs and security leaders from large financial, digital media, and government organizations. We found that many of the existing frameworks used to characterize attacker behavior could be helpful at the tactical level, but fell short of forming the basis of a coherent detection strategy. To close the gap between existing approaches and what we knew was necessary to effectively address threats in a container-native world, we co-opted useful concepts from existing attack frameworks, invested effort in resolving the problems we saw in them, and constructed a tailored model of attacker behavior that would come to drive our ongoing threat research and detection strategy: the StackRox Adversarial Intent Model (AIM).

In brief, StackRox AIM condenses the countless low-level actions an adversary might execute against a target into five attack lifecycle phases: foothold, persistence, privilege escalation, lateral movement, and objectives. The diagram below illustrates an adversary’s movement through the five phases. The attacker begins by establishing a foothold and ends by achieving his or her objective; but the path between varies. It may be very direct or the adversary may progress through several iterations of the other three phases.

AIM diagram

**_StackRox Adversarial Intent Model includes five attack phases_**

The embodiment of this model in StackRox Detect and Respond provides a consistently-applicable abstraction that helps security operations teams prioritize investigative and responsive action by understanding:

  1. Tactical behavior: what an adversary needs to accomplish during each phase of an attack’s lifecycle; and
  2. Strategic intent: how the adversary’s progression through each phase of the lifecycle reveals important information about his or her ultimate level of intent in attacking a target.

StackRox AIM is central to our threat research and detection strategy. Our security research team studies the evolution of offensive tactics across each of the five attack phases. They work closely with our customers, leading security practitioners, and technology partners such as Google and Docker to prioritize new attacks according to their potential impact, integrating new rule- and ML-based detection capabilities into our platform as appropriate. The result is a runtime security product that is driven by offensive security research and purpose-built to detect the most relevant threats in the container world.

Expanded threat coverage

With StackRox AIM as the foundation of our detection strategy, StackRox Detect and Respond 2.0 is expanding the list of container attacks it can detect, including the following examples popular with our customers:

FootholdReverse shell invocation, Java-based code injection attacks
PersistenceDatabase persistence via post of database procedures, user persistence via modification of PAM configurations
Privilege EscalationExecution of setuid/setgid by non-root users
Lateral MovementAnomalous network communication with a client followed by payload execution or unexpected process cloning
ObjectivesCryptocurrency mining software, exfiltration of sensitive content via reading stored secrets or accessing confidential file paths

**_StackRox Detect and Respond 2.0 detects privilege escalation attack tactics_**

**_StackRox Detect and Respond 2.0 detects crypto-mining processes_**

Improved automation

As our customers continue to expand their adoption of container platform across their application portfolio, they will need to secure more and more containers over time. In order to streamline our deployment so customers can secure more containers faster with less manual work, StackRox Detect and Respond 2.0 delivers a number of important automation features.

In previous versions of the product, customers had to conduct benign and malicious training for the machine learning models in our product to effectively detect threats and distinguish them from normal application behavior. StackRox Detect and Respond 2.0 eliminates that step by automatically learning application behavior during runtime in order to establish baselines. It then alerts on anomalous activities that deviate from normal behavioral patterns and map to any of the five attack phases in StackRox AIM. The result is the unique ability to continuously adapt our threat detection and maintain a high level of efficacy while minimizing false positives, even as application behavior changes. Here is a subset of the tactics that StackRox Detect and Respond 2.0 can detect with our machine learning capabilities:

  • Privilege escalation: anomalous process launch, unexpected execution of “setuid” by processes, anomalous reads of secrets
  • Lateral movement: container’s unexpected communication with anomalous clients or unexpected process cloning
  • Objectives: observation of anomalies in the data transferred between containers

**_StackRox Detect and Respond 2.0 uses auto-tuned machine learning to detect lateral movement attack tactic - anomalous client communication_**

In order to improve efficiency across configuration and use, StackRox Detect and Respond 2.0 now leverages user-defined data directly from the orchestrator to automatically group services within applications, eliminating manual work for users.

**_StackRox Detect and Respond 2.0 automatically groups services into their corresponding applications based on orchestrator’s metadata_**

This enables immediate visibility into applications with no additional work required beyond defining applications in the orchestrator. This capability complements StackRox’s auto-discovery of all containers and services in the customer environment which drives instant visibility. Users now get more than just a container-centric view of their environment; they get a higher-level view of the environment at the application level.

**_StackRox Detect and Respond 2.0 shows alert at the application level_**

**_StackRox Detect and Respond 2.0 allows user to drill down into an application and see the alert affecting each of its underlying services_**

We are thrilled to offer customers expanded breadth and depth in threat detection and advanced automation with the release of StackRox Detect and Respond 2.0. There is still much more to come, so stay tuned to this blog and follow us on Twitter and LinkedIn for more exciting news.