StackRox Improves Container Security With Adversarial Intent Model

StackRox's Adversarial Intent Model (AIM) provides insight into how container attacks occur and what needs to be done to stop them.


Container security vendor StackRox announced its Detect and Respond 2.0 release on Jan. 31, providing an updated set of capabilities for organizations to help protect against security threats.

The StackRox Detect and Respond 2.0 update benefits from the new StackRox Adversarial Intent Model (AIM). AIM is a threat model that guides StackRox's threat research and detection strategy for the Detect and Respond product.

"AIM encompasses a number of phases that an attacker has to take to accomplish their objectives," Ali Golshan, cofounder and CTO for StackRox, told eWEEK. "AIM allows StackRox to focus on each of these phases and threat intelligence is just another input for improving detection efficacy at these stages."

StackRox first emerged from stealth in July 2017 with $14 million in venture capital funding. The company has been busy expanding its container security platform across multiple releases that have added incremental functionality. In October 2017, the StackRox 1.3 release debuted with enhanced detection rules.

With the new StackRox Detect and Respond 2.0 update, Golshan said that there will be additional attacks and threats that organizations will be able to detect, thanks to the AIM approach. He explained that there are five stages that define the AIM model, with Foothold identified as the first stage. In the Foothold stage, attackers gain some form of initial access to a container environment, Golshan said that in the Foothold stage, StackRox can now detect reverse shell invocation enabled by generic initial exploitation vectors, such as web and network-based exploits as well as Java-based code injection attacks.

The second stage of AIM is privilege escalation, where attackers elevate privileges to gain broader access. The third stage is when attackers achieve persistence and remain resident in a compromised container environment. That stage is followed by lateral movement, with attackers moving across a network to look for other valuable targets. The final stage of the AIM methodology is called Profit by StackRox and is the point at which an attacker is able to exfiltrate data or deploy a payload, such as crypto-currency mining software that will yield profit.

"Using AIM as the threat model, StackRox Detect and Respond can disrupt a majority of attacks at the foothold and persistence stages by first detecting the attack and then invoking enforcement functions," Golshan said. "However, the model is constructed with the expectation that breaches always happen, therefore, our approach is to ensure disruption of the overall attack process."

An increasingly common element in modern threat detection is the use of some form of deception technology to trick and track attackers. StackRox does not currently have a deception module as part of its security platform.

"Our goal is to enable customers to use solutions such as Kubernetes as a security orchestrator," Golshan said. "Then they can perform functions such as deception with their existing frameworks."

Though the AIM approach has five steps, Golshan emphasized that an organization doesn't need to wait until the final step before an attack is detected and blocked.

"StackRox Detect and Respond is designed to automatically respond at any stage when any threat or attacker is detected," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.