Full Report
The Wiz Runtime Sensor for Kubernetes graduates to general availability with proven ability to detect cloud attacks, greater customization for detections, and new cloud-native response capabilities
Analysis Summary
## Tool/Technique: Wiz Runtime Sensor
## Overview
The Wiz Runtime Sensor is a cloud-native security solution designed to provide real-time threat detection and response capabilities for containerized workloads, extending to modern Linux workloads running on cloud virtual machines. Its purpose is to act as a "last line of defense" in cloud environments, monitoring residual risk, identifying threats with high accuracy across cloud layers, and enabling immediate, infrastructure-context-aware actions to stop unfolding attacks.
## Technical Details
- Type: Tool (Runtime Security Agent/Sensor)
- Platform: Cloud-native workloads (Containers, modern Linux VMs)
- Capabilities: Real-time threat detection, anomaly detection, container forensics, runtime execution data analysis, automated response playbooks, vulnerability validation in use.
- First Seen: Public Preview in Summer (of undisclosed year, implied recent context)
## MITRE ATT&CK Mapping
*Note: Since the Sensor is a defensive tool, its mapping relates to the threats it detects, such as Pyloose and cryptomining incidents.*
- **TA0001 - Initial Access** (Implied detection coverage)
- **T1190 - Exploit Public-Facing Application** (Detection of exploitation attempts leading to runtime activity)
- **TA0003 - Persistence** (Detection of suspicious background activity)
- **TA0005 - Defense Evasion** (Detection of attempts to hide activity, relevant to Pyloose’s fileless nature)
- **TA0007 - Credential Access** (Detection of privilege escalation attempts)
- **TA0011 - Command and Control** (Detection of outbound C2 communication)
## Functionality
### Core Capabilities
- Real-time threat detection across cloud-native workloads.
- High-fidelity alerting on threats observed at runtime.
- Streamlined investigation via container forensics and runtime execution data, providing full infrastructure context and blast radius assessment.
- Greater customization through tunable detection rules.
- Integration of runtime validation to assess vulnerabilities actively being used by workloads (e.g., validating Log4j usage).
### Advanced Features
- **Anomaly Detections:** Increase alert severity for novel and unexpected actions, aiding in identifying zero-day or variant attacks.
- **Immediate Response Playbooks:** Cloud-native response actions such as isolating the impacted node or removing excessive permissions to rapidly limit threat impact.
- **Correlation:** Ability to correlate suspicious container activity with privilege escalation attempts on the container and in the associated cloud environment.
- **Fileless Attack Detection:** Successfully detected campaigns like Pyloose, which is noted as the first publicly documented Python-based fileless attack on cloud workloads.
## Indicators of Compromise
*Note: The article focuses on the capabilities of the sensor that detected these IOCs, rather than listing the specific IOCs themselves.*
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not specified in the context]
- Network Indicators: [Not specified in the context]
- Behavioral Indicators: Suspicious activity on the container correlated with privilege escalation attempts; cryptomining activity; Python-based fileless execution.
## Associated Threat Actors
- Adversaries utilizing **Pyloose** (Python-based fileless attack methodology).
- Threat actors involved in **Cryptojacking Attacks** (Summer 2023 campaigns mentioned).
## Detection Methods
- Signature-based detection: (Implied through rule management, though emphasis is on anomaly/behavioral)
- Behavioral detection: Anomaly detections; detection of suspicious runtime activity and process behaviors.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Ignore rules customization to tune detections for specific business environments.
- Immediate response actions: Isolating impacted nodes.
- Immediate response actions: Removing excessive permissions.
- Proactive risk removal (when combined with agentless capabilities for defense-in-depth).
## Related Tools/Techniques
- Wiz Agentless Solution (Provides broader coverage, complementing the deep, real-time coverage of the Sensor).
- General Cloud Security Platforms providing unified defense-in-depth.