Full Report
Wiz's custom runtime rules and runtime response policies add new layers to your defense-in-depth strategy.
Analysis Summary
# Tool/Technique: Custom Runtime Rules and Runtime Response Policies (Wiz)
## Overview
This summary describes new features released by Wiz—Custom Runtime Rules and Runtime Response Policies—which are designed to implement a defense-in-depth strategy specifically for cloud environments by providing real-time threat detection and automated response capabilities based on process and behavioral monitoring.
## Technical Details
- Type: Framework/Feature Set (Detection and Response Capabilities)
- Platform: Cloud Workloads (via Wiz runtime sensor)
- Capabilities: Real-time monitoring, creation of customizable detection rules using Boolean/string operators and regex, integration with automated response actions (blocking or simulation).
- First Seen: Not specified (Recent release by Wiz)
## MITRE ATT&CK Mapping
The described capabilities primarily map to Detection Capabilities and Defensive Evasion/Interaction (via response features).
- **TA0011 - Command and Control** (Relevant if monitoring network behavior facilitates blocking C2 attempts)
- T1071 - Application Layer Protocol
- **TA0005 - Defense Evasion** (Relevant if response policies block evasion techniques)
- T1036 - Masquerading
- **TA0003 - Persistence** (Relevant if response policies block processes related to persistence mechanisms)
- T1543 - Create or Modify System Process
- **TA0007 - Discovery** (Relevant for monitoring discovery activities)
- T1082 - System Information Discovery
- **TA0008 - Lateral Movement** (Relevant if response policies interrupt movement attempts)
- T1021 - Remote Services
## Functionality
### Core Capabilities
- **Custom Runtime Rules:** Allow users to create highly flexible detection rules evaluated by the Wiz runtime sensor based on process events.
- **Response Policies:** Enable automated response actions (blocking or simulation) when a threat is detected by a custom rule or categorized as a high-confidence threat (e.g., malware, malicious IOCs).
- **Event Monitoring:** Detections focus on: Process execution, network connections, DNS queries, network listening activity, and the initiating actor.
### Advanced Features
- **Complex Rule Creation:** Rules can incorporate Boolean operators, string operators, and regular expressions for nuanced detection logic.
- **Automated Blocking:** Immediate mitigation of high-certainty threats, improving scalability and reducing manual intervention in security operations.
- **Rule Scoping:** Rules can be globally applied or scoped down by specific projects.
## Indicators of Compromise
Since this is a description of a *detection framework* rather than a specific malware sample, typical IOCs are not provided. The system is designed to *detect* common IOCs and behaviors:
- File Hashes: Not applicable (Detection targets process behavior)
- File Names: Not applicable (Detection targets process behavior)
- Registry Keys: Not applicable (Focus is on runtime/process events)
- Network Indicators: Detection covers outbound connections and DNS queries (specific IOCs would be used *within* custom rules).
- Behavioral Indicators: Process execution, network connections, DNS lookups, network listening, actor identification.
## Associated Threat Actors
Not applicable. This describes a defensive capability provided by Wiz.
## Detection Methods
The methods described are the *mechanism* for detection:
- Signature-based detection: Not explicitly mentioned, but rule matching implies signature-like logic (exact string matches, specific API calls within a process context).
- Behavioral detection: **Primary focus.** Monitoring process activity, network activity, and dependency lineage.
- YARA rules: Not mentioned as directly integrated, but complex string matching is supported.
## Mitigation Strategies
The entire feature set serves as mitigation:
- Prevention measures: Automated blocking capability halts malicious processes instantly upon detection.
- Hardening recommendations: Applying tailored, environment-specific runtime rules across cloud workloads. Encouraging integration of detection with response playbooks.
## Related Tools/Techniques
- Cloud Workload Protection Platform (CWPP) Runtime Monitoring Tools
- Endpoint Detection and Response (EDR) systems (in terms of behavioral focus)
- Cloud Native Application Protection Platforms (CNAPP) features focusing on runtime security.