So the landscape of security is always changing. And as part of that, I try to find new areas to keep up-to-date on. Recently read a great article on Binary Drift. And honestly it was a pretty eye-opening investigation.
What is Binary Drift?
So Binary Drift is what happens when you take an executing container, and it starts running an executable not baked into an image. Now this can be intentional, but generally speaking shouldn’t be.
From my perspective, when you build a container image, you are making a “contract” from an operations perspective that only the executables and processes within the container image on the registry should be executed during runtime. And if you accept that as the default, then any process running not built into the image should be seen as suspicious.
Now that all sounds common sense, but it’s honestly a really hard problem to solve. Really from my perspective this is an extension of the Supply Chain problem for Software Security. But this is more to the right-side of the problem then the left.
What is software supply chain?
When we look at the software supply chain, we are talking about how the software gets to the production environment. The SolarWinds hack of 2023, was a major cyber security incident in 2023 (read more here). The crux of what happened in that attack was that the hackers had targeted a third-party solution and gained access to networks through that solution. The intention being to build the malware into a library or dependency that gets baked into a product and installed into the ultimate target network.
So what is the software supply chain, the idea is this. If you take the following as a high-level software development process / supply chain:
flowchart TD
A[Repo] --> B[Developer Machine]
A --> C[CI / CD Pipeline]
D[Dependencies] --> C
C --> E[Dev Environment]
E --> F[Test Environment]
F --> G[Prod Environment]
G --> H[Customer Environment]The idea behind Supply Chain attack, is that you hit either the repo, or a dependency that then gets baked into the total software solution. Now, there are lots of protections you can and should put in place for a supply chain process. Some of these include:
- Signing Commits from Developers
- Performing sha / hash checks on dependencies against known good standards.
- Signing and validating container images that are being leveraged or deployed.
But these realistically only go so far. Because let’s take the container image as an example. If a hacker is able to inject malware into a container image, and get that image signed by a CA. Then from everywhere else in the assembly, it becomes harder to validate and block the intrusion.
And if you add the malware directly into the containers, then you run the risk of it being detected during container vulnerability scans. So the next logical step is to have the container image pull down the malware upon startup. And that’s what binary drift is. When you have something added to a container that was not in the image.
What tools are available?
One of the areas I’ve been really impressed with is how much Defender for Cloud is able to do in this space. The benefit being that Defender can work in Azure, AWS, and Google and provides the ability to setup alerts and scanning for this type of alert and configure the actions to be performed.
There’s a great article on setting up the policies here. For more information on the topic, I found this video helpful: