Full Report
We are excited to announce the addition of the Wiz Sensor to Wiz for Gov’s ATO. The lightweight eBPF based sensor improves risk prioritization, deepens threat detection, and adds runtime protection for container hosts and VMs.
Analysis Summary
# Tool/Technique: Wiz Runtime Sensor (eBPF-based)
## Overview
The Wiz Runtime Sensor is a lightweight component designed to provide deep, real-time context and runtime protection for cloud-native, highly ephemeral workloads (VMs and containers) within the Wiz Cloud Native Application Protection Platform (CNAPP). It is implemented using eBPF technology to ensure restricted, host-safe operation.
## Technical Details
- Type: Tool (Runtime Security Component for a CNAPP)
- Platform: Cloud workloads (Virtual Machines and Kubernetes environments/Containers)
- Capabilities: Real-time threat detection, Hybrid File Integrity Monitoring (FIM), runtime response actions (blocking), threat hunting data collection, vulnerability validation using runtime signals.
- First Seen: Not explicitly stated in the context, but its addition to Wiz for Gov is highlighted.
## MITRE ATT&CK Mapping
The functionality described maps to several tactics related to detection and response at the execution level on the host:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied, by detecting tampering/drift)
- **TA0003 - Persistence**
- T1541 - Hidden Files and Directories (Implied via FIM)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied, by detecting reverse shells)
- **TA0005 - Defense Evasion / TA0003 - Persistence**
- T1564 - Hide Artifacts (Implied, monitoring for unauthorized changes)
- **TA0040 - Impact / TA0002 - Execution**
- Custom Threat Detection Rules (Covering malware, reverse shells, container escapes)
## Functionality
### Core Capabilities
- **Lightweight Deployment:** Deployed easily via a single click on the console for VMs, or via a unified Helm chart as a DaemonSet for Kubernetes.
- **eBPF Implementation:** Runs in a restricted environment within the kernel, guaranteeing it cannot crash or degrade host performance.
- **Runtime Threat Detection:** Detects and responds in real-time to threats such as malware, reverse shells, log tampering, container drift, and container escapes.
- **Unified Context:** Correlates runtime signal data with existing cloud activity and audit logs for comprehensive threat prioritization.
### Advanced Features
- **Runtime Vulnerability Validation:** Enriches agentless vulnerability assessments by confirming if identified vulnerabilities in installed packages are actively being utilized by running workloads, using SBOM information.
- **Hybrid File Integrity Monitoring (FIM):** Combines the depth of runtime FIM with the coverage of agentless FIM, allowing for unified policy enforcement and automated responses (creating findings, issues, or immediate blocking).
- **Automated Runtime Response Policies:** Allows users to configure automated blocking actions for high-certainty threats, providing immediate defense without manual intervention.
- **Threat Hunting and Forensics:** Captures and retains execution data and full process tree information for every protected host, facilitating root cause analysis and forensic investigations.
## Indicators of Compromise
(Note: Since this is a security tool description, specific malicious IOCs related to the sensor itself are not provided. Instead, the types of malicious behaviors it is designed to detect are listed.)
- File Hashes: N/A (Detects malicious file hashes internally)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious C2 traffic associated with detected reverse shells (defanged).
- Behavioral Indicators:
- Execution of unauthorized malware.
- Establishment of reverse shells.
- Attempted log tampering or manifest changes.
- Unauthorized container escape attempts.
- Container drift (unauthorized configuration changes).
## Associated Threat Actors
- N/A (This is a defensive technology addition, not a threat actor tool. It is designed to help defend against various threat actors targeting cloud environments.)
## Detection Methods
- Signature-based detection (Uses predefined rules for known threats like malware).
- Behavioral detection (Monitors process trees, file access patterns, and execution context).
- YARA rules: N/A (Not explicitly mentioned, but custom rules can be created for detection).
## Mitigation Strategies
- **Deployment of Wiz Runtime Sensor:** Enables active, real-time telemetry and runtime protection.
- **Automated Response:** Utilizing runtime response policies to automatically block high-certainty threats immediately.
- **Contextual Prioritization:** Using the correlation between runtime signals and cloud context to triage and focus remediation efforts on actively exploited vulnerabilities.
- **FIM Control:** Implementing unified policies via the Wiz sensor to detect and control unauthorized file changes.
## Related Tools/Techniques
- Agentless Cloud Security Posture Management (CSPM) (The baseline component of Wiz).
- Software Bill of Materials (SBOM) analysis (Used in conjunction with runtime validation).
- Traditional Host-based Intrusion Detection Systems (HIDS) (The sensor provides cloud-native runtime augmentation to these concepts).