Introduction #
Runtime security involves monitoring and analyzing activities within applications, enabling the detection of insecure behaviors across various facets like file operations, network communications, process execution, and memory usage. Ideally, runtime security controls should be integrated throughout the application development process, identifying and addressing security risks during development and testing stages prior to deployment in production environments. Nonetheless, organizations should also adopt a defense-in-depth approach, continuously monitoring applications in production to guard against both new zero-day vulnerabilities and known vulnerabilities that might have been overlooked during development. By actively observing high-risk behavior in real time, DevOps and security teams can promptly identify and respond to potential security threats, while mitigating application vulnerabilities. This approach facilitates comprehensive visibility into workloads, enabling the detection of malicious activities, unauthorized access attempts, anomalous behavior, and other indicators of compromise.
5 Reasons To Implement Runtime Security #
-
Detect and Mitigate Real-Time attacks
-
Identify and remediate vulnerabilities before deployment
-
Compliance and regulatory requirements
-
Defense-in-Depth Approach
-
Reduce Software Composition Analysis noise and false positives with runtime usage and reachability
You can find more information about runtime security, challenges in implementing it and how makes it easy for organizations to adopt it in our whitepaper, Next-Generation Container Runtime Security.
Deepfactor Runtime Security #
The Deepfactor Developer Security platform offers a modern approach to runtime security that provides runtime security analysis during development and testing, runtime correlation with SCA and container scanning, and runtime monitoring during production. Deepfactor has developed a unique, patented approach to API interception that provides rich insight into application behavior to help developers, QA engineers, and security teams find and fix vulnerabilities faster. Deepfactor dynamically injects a small library in the user space of each container’s operating system that monitors hundreds of system calls, library calls, and Web APIs. In addition, Deepfactor auto-detects languages and inserts language-specific interception that provide a deeper level of analysis (to provide language-aware stack traces for Java and Python, for example). Deepfactor is able to correlate the low-level telemetry information with higher level language-specific information to not only detect vulnerabilities but also provide pinpoint locations in the code where the developer can focus. This makes it easier for developers to identify the root of the issue and remediate it quickly, without having to manually triage and debug the issue. This approach not only saves developers time but also motivates them to adopt the tool since it provides results with minimal effort.
With a single command, Deepfactor seamlessly loads a robust language-agnostic library into cloud native workloads and environments to provide comprehensive container runtime security. Deepfactor can be deployed in the cloud or on-premises with self-managed Kubernetes, managed Kubernetes (e.g. EKS Fargate), non-Kubernetes container orchestration tools (e.g. Amazon ECS, Docker Swarm, Lambda), and traditional monolithic non-containerized applications. With Deepfactor, there are no host-based agents to install, no sidecar containers, and no kernel modules to install, simplifying and accelerating deployment.
Runtime security controls in Deepfactor #
Deepfactor has developed a flexible rule engine which makes it possible for us to quickly add alert rules to detect anomalous/suspicious behaviors. Our team of experienced security professionals have curated an extensive set of rules which are documented below. This list is dynamic and we keep introducing new alert rules to detect new suspicious behaviors based on new vulnerabilities and internal/external security research.
|
Title |
Description |
Security Category |
Compliance Category |
PCI |
SOC2 Type II |
NIST |
|
Alert on outgoing connection to selected countries |
This control defines a list of countries. When an outgoing connection is made to a country in the list, an alert will be generated. |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Alert on incoming connection from selected countries |
This control configures the list of countries that will trigger an alert when an incoming connection is made from a country in the list. |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Alert if the application makes an outgoing connection to an address not previously resolved via DNS |
If enabled, this control will trigger an alert if the instance attempts to create an outgoing connection to any IP address that it did not receive as a response from a previous DNS query. It is uncommon for applications to make connections to raw IP addresses; such behavior is sometimes seen when an attacker compromises an application, however. |
Insecure Network Behavior |
Secure Network |
1.3 |
|
SC-7(8) |
|
Alert if application receives a connection from an IP address not defined in the CIDR allowlist |
If enabled, this policy will generate an alert if the application receives a connection from an IP address not defined in the CIDR allowlist (eg, an incoming connection from outside the application’s private network). By default, the allowlist contains the CIDRs referenced from RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and CG NAT RFC6598 (100.64.0.0/10). However, you can edit the allowlist and enter any valid CIDRs depending upon your application’s network environment. |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Alert if application makes an outbound connection to an IP address not defined in the CIDR allowlist |
If enabled, this policy will generate an alert if the application initiates an outbound network connection to an IP address not defined in the CIDR allowlist (eg, a connection to a host outside the application’s private network). By default, the allowlist contains the CIDRs referenced from RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and CG NAT RFC6598 (100.64.0.0/10). However, you can edit the allowlist and enter any valid CIDRs depending upon your application’s network environment. |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Alert when files with long pathnames are being opened |
If enabled, this control will alert if an open of a filename whose length exceeds 1024 characters is attempted. |
Improper Use Of System Calls |
|
|
|
|
|
Alert on usage of ioctl (device I/O control) |
If enabled, this control will cause an alert to be generated when the application uses the ioctl library/system call. This is an indication that the application is attempting to control a hardware device (or pseudo-device). Use of this function by network-facing services is uncommon, and may indicate the application has been attacked. |
Improper Use Of System Calls |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert on execution of suspicious process |
If enabled, this control will cause an alert to be generated when the application attempts to execute certain sensitive programs. These programs (for example, ‘passwd’ or various shells), are generally not used by common network-facing services and may indicate the application has been attacked and coerced into executing a program on the attacker’s behalf. The default list provided contains common exfiltration tools used by an attacker. |
Insecure Execution |
|
|
|
|
|
Alert if program executes a new process from an uncommon path |
If enabled, this control will generate an alert if a process executes a new program from a directory not typically associated with executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if process UID changes unexpectedly |
If enabled, this control will alert if the user ID associated with the application changed unexpectedly without the application requesting such a change. This may indicate application compromise or a LPE (local privilege escalation). |
Privilege Escalation |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Alert if process GID changes unexpectedly |
If enabled, this control will alert if the group ID associated with the application changed unexpectedly without the application requesting such a change. This may indicate application compromise or a LPE (local privilege escalation). |
Privilege Escalation |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Alert on use of setuid |
If enabled, this control will generate an alert if the application uses the setuid or seteuid APIs. |
Privilege Escalation |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert on use of setgid |
If enabled, this control will generate an alert if the application uses the setgid or setegid APIs. |
Privilege Escalation |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when attempting to terminate another process |
If enabled, this control will generate an alert if the application attempts to signal another application with SIGKILL or SIGABRT. This may be used by an attacker to terminate a variety of security products by terminating their daemon or monitoring processes. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when application uses unsafe string APIs |
If enabled, this control will generate an alert when the application uses unsafe string manipulation APIs (eg, APIs which do not do proper string length checking). These APIs are notorious for causing buffer overflow vulnerabilities, making it much easier for an attacker to take control of an application. |
Buffer Overflow |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when application uses unsafe random number APIs |
If enabled, this control will generate an alert when the application uses unsafe random number generation APIs. Many applications rely on APIs for generating random numbers that are actually deterministic, creating a scenario that can weaken software that utilizes encryption or otherwise depends on strong entropy. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert on use of setfsuid |
If enabled, this control will generate an alert if the application uses the setfsuid/setfsgid APIs. |
Privilege Escalation |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert on use of setreuid/setgroups |
If enabled, this control will generate an alert if the application uses the setreuid/setregid/setresuid/setresgid/setgroups APIs. |
Privilege Escalation |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if application changes LD_LIBRARY_PATH after startup |
If enabled, this control will generate an alert when the application alters the LD_LIBRARY_PATH environment variable after program start. This may indicate the application is possibly using incorrect library versions. |
Privilege Escalation |
|
|
|
|
|
Alert if a process is running with elevated permissions (root) |
If enabled, an alert will be raised if a process in the application is detected as running as root (uid 0 or group 0). |
Insecure Execution |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Indicate if the application closes already closed sockets/files |
If enabled, this control will generate an alert if the application issues a close() API request on a socket or file descriptor that is either invalid or already closed. |
Improper Use Of System Calls |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when files are truncated in /var/log |
If enabled, this control will generate an alert when a file is truncated in /var/log. This may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content. |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when files are deleted in selected directories |
If enabled, this control will generate an alert when a file is deleted in the specified directories. Deleting files in /var folder may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content. |
Remote Code Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when files are modified in suspicious path |
If enabled, this control will generate an alert when a file is modified in suspicious path. This may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content. |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when sensitive files are read |
If enabled, this control will generate an alert when a sensitive file is opened for reading. |
Insecure File System Behavior |
Secure Configuration |
2.2.2 |
|
CM-7 |
|
Alert when application writes to files in /proc |
If enabled, this control will generate an alert when an application attempts to write to files in /proc. Files in /proc can be used to alter system behavior and are generally not written to by well written applications. |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when application writes to files in /sys |
If enabled, this control will generate an alert when an application attempts to write to files in /sys. Files in /sys can be used to alter system behavior and are generally not written to by well written applications. |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when application uses the mknod API |
If enabled, this control will generate an alert when an application uses the mknod API. The mknod api is used to create device special files, which can be used to subsequently alter hardware behavior. |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if application adds executable permission to a file |
If enabled, this control will generate an alert if the application attempts to update the permissions of a file with ‘X’ (executable) bit set. This may be an attempt by an attacker to create shellcode on the machine. |
Remote Code Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if application creates a file with executable permissions |
If enabled, this control will generate an alert if the application attempts to create a file whose ‘X’ (executable) bit is set. This may be an attempt by an attacker to create shellcode on the machine. |
Remote Code Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert on memory W^X violation |
If enabled, this control will generate an alert if the application attempts to allocate memory with both writable and executable permissions simultaneously. Allocating W+X memory is a technique used by attackers when uploading shellcode into a hollowed process (a process that has been the victim of a previous vulnerability exploit). |
Remote Code Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when a program requests allocation of uninitialized memory |
If enabled, this control will generate an alert if the application attempts to allocate memory and have the operating system not clear the memory first. |
Insecure Memory Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if program loads a library that is not part of a package (at program start time) |
If enabled, this control will generate an alert if a process loads a library that was not installed via the operating system’s package manager (apt/yum/dnf, for example). This technique is sometimes used by an attacker to load executable code that was placed on the machine surreptitiously or through covert means. |
Insecure Library Behavior |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Alert if program loads a library from a uncommon path |
If enabled, this control will generate an alert if a process loads a library from a directory not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application. |
Insecure Library Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if the LD_PRELOAD environment variable contains suspicious entries |
If enabled, this control will generate an alert if a process is executed using an LD_PRELOAD environment variable setting that contains directories not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if the LD_LIBRARY_PATH environment variable contains suspicious entries |
If enabled, this control will generate an alert if a process is executed using an LD_LIBRARY_PATH environment variable setting that contains directories not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert if program loads a library that is not part of a package (during run) |
If enabled, this control will generate an alert if a process loads a library that was not installed via the operating system’s package manager (apt/yum/dnf, for example). This technique is sometimes used by an attacker to load executable code that was placed on the machine surreptitiously or through covert means. |
Insecure Library Behavior |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Alert when uncommon/risky environment variable names detected |
If enabled, this control will generate an alert if environment variables commonly used in debugging environments or environment variables used for authentication are detected. This may indicate a mistake or improperly configured environment. |
Insecure Execution |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Alert when uncommon/risky environment variable values detected |
If enabled, this control will generate an alert on application start when any environment variable’s value matches the patterns defined in the control. |
Secrets |
Secure Configuration |
3.5-3.5.4,3.6-3.6.8 |
CC6.1 |
|
|
Alert if an EOL (end-of-life) OS distribution is detected |
If enabled, this control will alert if the node on which the application is running is using a distribution that is out of support (End Of Life). |
End Of Life |
Vulnerability Management |
6.2.b |
|
SI-2,SI-3(2) |
|
Alert when a directory under a system binary directory is created |
If enabled, this control will generate an alert if an application creates a directory under a system binary directory. |
Insecure File System Behavior |
|
|
|
|
|
Alert when a file under a system binary directory is renamed or removed |
If enabled, this control will generate an alert if an application renames or removes a file under a system binary directory. |
Insecure File System Behavior |
|
|
|
|
|
Alert when a directory is created under root (/) or the root user’s home directory (/root) |
If enabled, this control will generate an alert if an application creates a directory under root (/) or the root user’s home directory (/root). |
Insecure File System Behavior |
|
|
|
|
|
Alert when an SSH configuration file is modified |
If enabled, this control will generate an alert if an application modifies an SSH configuration file. |
Insecure File System Behavior |
|
|
|
|
|
Alert when a shell configuration file is read by a non-shell program |
If enabled, this control will generate an alert if a shell configuration file is read by a non-shell program. |
Insecure Execution |
|
|
|
|
|
Alert when a cron job is scheduled by writing to /etc/cron |
If enabled, this control will generate an alert if a cron job is scheduled by writing to /etc/cron |
Insecure File System Behavior |
|
|
|
|
|
Alert when a cron job is scheduled by running crontab |
If enabled, this control will generate an alert if a cron job is scheduled by running crontab |
Insecure Execution |
|
|
|
|
|
Alert when a repository list is changed |
If enabled, this control will generate an alert if a repository list is changed. |
Insecure Execution |
|
|
|
|
|
Alert when an outbound SSH connection is made |
If enabled, this control will generate an alert if an outbound SSH connection is made to an IP address not listed in the alert policy. |
Insecure Network Behavior |
|
|
|
|
|
Alert when an SSH configuration file is read |
If enabled, this control will generate an alert if an application reads an SSH configuration file. |
Insecure File System Behavior |
|
|
|
|
|
Alert when a database program launches another process |
If enabled, this control will generate an alert if a database program launches another process |
Insecure Execution |
|
|
|
|
|
Alert when a process performs network operations that typically does not do so |
If enabled, this control will generate an alert if a process performs network operations that typically does not do so |
Insecure Network Behavior |
|
|
|
|
|
Alert when a user management process is launched |
If enabled, this control will generate an alert if a user management process is launched |
Insecure Execution |
|
|
|
|
|
Alert when a device node is created under /dev |
If enabled, this control will generate an alert if a device node is created under /dev |
Insecure Execution |
|
|
|
|
|
Alert when an application contacts a cloud metadata service |
If enabled, this control will generate an alert if a process contacts a cloud metadata service |
Insecure Network Behavior |
|
|
|
|
|
Alert when netcat is launched |
If enabled, this control will generate an alert if netcat is launched |
Insecure Execution |
|
|
|
|
|
Alert when the shell history is cleared |
If enabled, this control will generate an alert if the shell history is cleared |
Insecure File System Behavior |
|
|
|
|
|
Application created/renamed hidden files or directories |
If enabled, this control will generate an alert if an application creates or renames a file or directory with a name that starts with a dot |
Insecure File System Behavior |
|
|
|
|
|
Alert when a remote copy application launched |
If enabled, this control will generate an alert if a remote copy application is launched |
Insecure Execution |
|
|
|
|
|
Use of setns to change thread namespace |
If enabled, this control will cause an alert to be generated when the application is in a container and uses the setns api to change its thread namespace. This may indicate an attempt to escape the container sandbox. |
Privilege Escalation |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Application launched pkexec |
If enabled, this control will cause an alert to be generated when the application launches the pkexec process |
Privilege Escalation |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Application launched a shell |
If enabled, this control will cause an alert to be generated when the application launches a shell process (for example, bash, ksh, csh, dash, etc). |
Insecure Execution |
|
|
|
|
|
UDP traffic detected |
If enabled, this control will cause an alert to be generated when the application listens or prepares to transmit data using the UDP protocol. The UDP protocol is not a common protocol for normal Internet-facing web applications and may indicate the application has been compromised. |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Application redirected its input/output to a socket |
If enabled, this control will cause an alert to be generated when the application redirects stdin/stdout to a connected socket. |
Insecure Execution |
Security Monitoring |
10.6-10.6.2 |
CC7.2 |
|
|
Application created a hard link over a sensitive file |
If enabled, this control will cause an alert to be generated when the application creates a filesystem hard link over a sensitive file |
Insecure File System Behavior |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Process launched with disallowed HTTP_PROXY setting |
If enabled, this control will cause an alert to be generated when a process is started whose HTTP_PROXY environment is set to a disallowed value |
Insecure Network Behavior |
Secure Network |
1.2.1 |
CC6.6 |
CA-3(5),SC-7(5),SC-7(11) |
|
Kernel module inserted |
If enabled, this control will cause an alert to be generated when a process inserts/loads (or attempts to insert/load) a kernel module. |
Improper Use Of System Calls |
Secure Coding |
6.5.1 |
PI1.1-5 |
SA-1,SA-15 |
|
Page fault requested to be delievered to userfaultfd handler |
If enabled, this control will cause an alert to be generated when the application requests page fault notifications to be delivered to a usermode process (userfaultfd api) |
Insecure Execution |
|
|
|
|
|
Package manager process launched |
If enabled, this control will cause an alert to be generated when an attempt is made to launch a package manager process (dpkg, rpm, etc). |
Insecure Execution |
|
|
|
|