Full Report
Wiz extends its cloud-native runtime sensor to secure serverless containers, providing deep visibility, blocking, and hunting capabilities for AWS Fargate and Azure Container Apps.
Analysis Summary
# Tool/Technique: Wiz Runtime Sensor for Serverless Containers
## Overview
The Wiz runtime sensor is an extension to Wiz’s security platform designed to provide visibility, blocking, and threat hunting capabilities specifically within serverless container environments (AWS Fargate and Azure Container Apps - ACA). It addresses the visibility challenges inherent in serverless computing by monitoring runtime activities without requiring direct host access, supporting a defense-in-depth strategy.
## Technical Details
- Type: Tool/Security Capability
- Platform: AWS Fargate, Azure Container Apps (ACA)
- Capabilities: Deep process visibility, threat detection and response, custom rule creation, runtime hunting, vulnerability validation.
- First Seen: Context suggests this is a new extension to the existing Wiz sensor capabilities.
## MITRE ATT&CK Mapping
Since the article primarily describes a defensive security *tool* extending coverage, direct offensive mappings are less relevant, but the defender's capabilities map to concepts around Detection and Response:
- **TA0001 - Initial Access** (Detection capability maps to detecting initial compromise through runtime monitoring)
- **TA0003 - Persistence** (Detection capability maps to detecting unauthorized persistence mechanisms)
- **TA0005 - Defense Evasion** (Detection capability maps to detecting evasion techniques)
- **TA0011 - Command and Control** (Detection capability maps to monitoring network/DNS indicators)
- **TA0012 - Execution** (Detection capability maps to monitoring process execution)
- **TA0013 - Credential Access** (Detection capability maps to monitoring suspicious process behavior)
The core enabling technique mentioned is technical monitoring:
- **T1059 - Command and Scripting Interpreter** (Detection of suspicious commands/processes)
- **T1071 - Application Layer Protocol** (Network/DNS monitoring)
- **T1518 - Software Discovery** (Monitoring processes/commands)
## Functionality
### Core Capabilities
- **Defense-in-Depth Strategy:** Extends security coverage across the entire serverless container lifecycle (from code to runtime).
- **Runtime Monitoring:** Achieved by leveraging **ptrace** to monitor container processes without needing host access, analogous to the eBPF sensor used for Kubernetes/Linux.
- **Threat Detection and Response:** Real-time detection and blocking capability using predefined and custom threat detection rules against malware, unwanted behaviors, and suspicious activity.
- **Runtime Hunting:** Centralized monitoring of all serverless container events (processes, commands, DNS requests) to proactively identify Indicators of Compromise (IOCs).
### Advanced Features
- **Custom Rules:** Ability to create tailored, complex rules at the project or environment level that can trigger specific response actions (generating findings, creating issues, or blocking behavior).
- **Expanded Cloud Detection and Response (CDR):** Leverages runtime behavioral baselines to detect anomalies, reduces detection noise, and correlates runtime events with control plane, data, identity, and PaaS metrics.
- **Vulnerability Validation at Runtime:** Determines the real-world exploitability of existing vulnerabilities within the active runtime environment for better remediation prioritization.
- **Deployment Flexibility:** Sensor can be deployed as a sidecar or embedded.
## Indicators of Compromise
This summary focuses on a defensive tool; therefore, the IOCs listed below are **behavioral** indicators that the *tool is designed to detect*, rather than indicators generated *by* the tool itself.
- File Hashes: [Not specified, as this is a defensive sensor]
- File Names: [Not specified, tool monitors executions]
- Registry Keys: [Not applicable to primary Linux/Container environments unless observing Windows containers]
- Network Indicators: [Detection of suspicious DNS requests or C2 traffic patterns within the container session]
- Behavioral Indicators: Malicious processes, unwanted behaviors, suspicious command execution paths, deviations from runtime behavioral baselines.
## Associated Threat Actors
- [No specific threat actors are mentioned as using this tool. This is a defensive product.]
## Detection Methods
The Wiz Runtime Sensor *is* the detection method:
- Signature-based detection: Via custom and predefined threat detection rules.
- Behavioral detection: Via runtime behavioral baselines and monitoring of processes, commands, and DNS requests.
- YARA rules: [Not explicitly mentioned, but custom rules suggest equivalent custom detection capability.]
## Mitigation Strategies
Mitigation is achieved through the sensor's active response capabilities:
- Prevention measures: Blocking of complex threats and unwanted behaviors based on rule triggers.
- Hardening recommendations: Runtime vulnerability validation helps prioritize patching efforts based on actual exploitability risk.
- Response: Ability to generate findings, create issues, or block malicious behavior immediately upon detection.
## Related Tools/Techniques
- **eBPF Sensor:** The technology used by Wiz for Kubernetes and Linux workloads, serving as an analogue to the serverless ptrace-based sensor.
- **Wiz Runtime Sensor (General):** The precursor/existing version covering Kubernetes and Linux workloads.
- **AWS Fargate / Azure Container Apps (ACA):** The target execution environments.