Full Report
Wiz announces its Runtime Sensor for Linux, expanding coverage of threat detection and response for cloud workloads.
Analysis Summary
# Tool/Technique: Wiz Runtime Sensor for Linux
## Overview
The Wiz Runtime Sensor for Linux is a lightweight agent utilizing eBPF technology designed to provide real-time threat detection and response capabilities for cloud workloads running on Linux hosts. Its primary purpose is to offer deep visibility into runtime activity to combat novel attack vectors prevalent in cloud-native environments.
## Technical Details
- Type: Tool
- Platform: Linux Hosts (Cloud workloads)
- Capabilities: Real-time monitoring (processes, network, file activity, system calls), custom rule creation, automated response ranging from alerts to blocking, contextual threat correlation across workload, cloud activity, and audit logs.
- First Seen: Public Preview Launch (Context implies recent/ongoing development)
## MITRE ATT&CK Mapping
*Note: As a defensive tool, the sensor itself does not map directly to offensive TTPs. Its purpose is to detect techniques used by adversaries.*
The tool is designed to detect activities mapped across several tactics, including but not limited to:
- **TA0001 - Initial Access**
- **TA0003 - Persistence**
- **TA0005 - Defense Evasion**
- **TA0007 - Credential Access**
- **TA0008 - Lateral Movement**
- **TA0011 - Command and Control**
- **TA0018 - Impact**
Specific detections mentioned target behaviors like cryptocurrency miners, ransomware, and remote shells.
## Functionality
### Core Capabilities
- **eBPF-based Agent:** Lightweight deployment providing deep kernel-level visibility.
- **Real-time Monitoring:** Tracks running processes, network connections, file modifications, and system calls.
- **Threat Detection:** Detects known threats (miners, ransomware, remote shells) and emerging cloud-native attack techniques.
- **Contextual Correlation:** Unifies runtime signals with cloud environment activity and audit logs for comprehensive threat understanding.
### Advanced Features
- **Custom Runtime Rules:** Users can define bespoke detection rules evaluated instantly on the sensor.
- **Automated Response:** Capabilities to automatically block known malware or malicious processes based on configured policies.
- **Vulnerability Enrichment:** Uses runtime signals to enhance agentless vulnerability assessments, aiding in risk prioritization (blast radius analysis).
## Indicators of Compromise
*Note: As a defensive sensor, it does not generate IoCs related to its deployment, but rather detects IoCs related to underlying threats.*
- File Hashes: N/A (Relies on dynamic detection)
- File Names: N/A (Relies on dynamic detection)
- Registry Keys: N/A (Linux-focused)
- Network Indicators: Would detect known C2 patterns associated with detected malware/shells (defanged format not applicable here as they are threat outputs, not sensor IoCs).
- Behavioral Indicators: Unauthorized system calls, unusual process execution (e.g., crypto miners), network connections indicative of remote access or C2 to compromised workloads.
## Associated Threat Actors
The tool is designed to defend against a wide array of threat actors engaging in cloud compromise, including those employing advanced cloud-native evasion and exploitation techniques. The article specifically calls out defense against actors using **cryptocurrency miners, ransomware, and remote shells**.
## Detection Methods
- **Behavioral Detection:** Primary mechanism, leveraging deep visibility into system calls, process lineage, and network flow via eBPF.
- **Signature/Rule-Based Detection:** Utilizes continuously updated rule sets targeting specific cloud and Kubernetes attack patterns.
## Mitigation Strategies
- **Real-time Blocking:** Implementation of response policies to immediately halt malicious processes detected by the sensor.
- **Contextual Risk Prioritization:** Using runtime insights to prioritize remediation of vulnerabilities based on active exploitation risk.
- **Unified Visibility:** Utilizing the correlated data stream to quickly identify the scope and blast radius of an attack.
## Related Tools/Techniques
- **eBPF Technologies:** The underlying technology enabling deep, low-overhead system introspection.
- **Cloud Workload Protection Platforms (CWPP):** Fits within the category of advanced runtime security monitoring tools.
- **Agentless Scanning:** The sensor complements agentless vulnerability assessment by adding critical runtime context.