Catching vulnerable components in the software development and building process helps to ensure that applications are as secure as possible when they are published. But it’s not enough as vulnerabilities can be found at any time, often long after the application was deployed to production.
The widely employed shift-left method of testing and tackling potential security problems may not be enough in such cases, and fishing for vulnerabilities one by one is an arduous task. There’s a need for a systematic approach and a good one at that.
With this in mind, we sat down to talk to Owen Garrett, Head of Products and Community at Deepfence – an application security provider. He told us about how Deepfence’s ThreatMapper helps discover, evaluate, and categorize existing vulnerabilities, assisting greatly in dealing with potential threats efficiently.
How did the idea of Deepfence originate? What has your journey been like so far?
Deepfence began at a time when there was enormous innovation in “shift left”, addressing security vulnerabilities as early as possible in the development cycle. We observed that “shift left” alone was not enough. While application owners put their faith in eliminating known vulnerable components when an application was shipped, attackers continued to exploit late-breaking and zero-day vulnerabilities with devastating effects.
AppSecurity teams were charged with observing applications for signs of weakness and intrusion, but the tools they had were outdated and misaligned with the nature of modern, cloud-native applications. We saw a clear need for innovation, to create a security observability platform that could monitor cloud-native apps at runtime, build a threat map to inform teams where the weakest points were and track attacker behavior.
In hindsight, our perspective has a lot in common with a classic heist movie. The villains are planning a multi-stage offensive to investigate and infiltrate the city, position their resources carefully, plan their escape, and only then will they mount their attack. They hope to do all of this undetected, under the nose of the city mayor.
Deepfence plays the role of the detective in this heist movie. We learn the landscape and its weaknesses, identifying immediate security improvements. We see subtle signals that other people miss. We then piece this together to understand what is happening in the city, track threats, and identify attacks as they begin to unfold. We help keep enterprises well ahead of the prospective attacker roaming their applications’ “city streets.”
Can you introduce us to your ThreatMapper platform? What are the main issues it helps solve?
ThreatMapper is an open-source platform that identifies and prioritizes threats in your production infrastructure and applications. Security teams use it to reduce the risk posed by vulnerable components that were missed by “shift left” processes or may have been introduced through third-party and infrastructure code, and late-breaking and zero-day vulnerabilities. It’s common to see a majority of an enterprise application’s codebase made up of open source and third-party components vs. ones built by the enterprise’s developers themselves. However, once applications go into production, the enterprise is responsible for the security of the entire application regardless of where its source components came from.
ThreatMapper interrogates your production infrastructure, discovers applications within, and visualizes the topology of applications within your infrastructure. It observes network traffic and calculates the attack surface of your applications. This presents an accurate view of what is running across your clouds, Kubernetes clusters, and virtual-machine environments.
ThreatMapper then pulls manifests from containers, applications, language frameworks, and operating system instances and assesses these manifests against more than 50 threat and vulnerability feeds. In much the same way as “shift left” scanners do, ThreatMapper identifies vulnerable components such as older log4j or Apache Struts modules, or OpenSSL libraries.
But it doesn’t stop there. ThreatMapper evaluates the vulnerable components against the attack surface. Rather than just presenting an uncorrelated list of vulnerabilities, ThreatMapper highlights the vulnerabilities that are at the greatest risk of exploitation within your application right now. With this information, security teams can identify which vulnerabilities need to be fixed first.
How do cybercriminals take advantage of unprotected workload? What is the worst that can happen?
It’s easy to underestimate the opportunity that a small vulnerability offers to a determined attacker. Typically, the initial exploit of the vulnerability presents a beachhead that the attacker can leverage to gain further visibility and control into the target’s infrastructure.
In 2017, Equifax failed to identify all vulnerable instances of a software module named Apache Struts - a core component of enterprise Java applications. Two months after the vulnerability was disclosed, an attacker discovered instances in an Equifax application server and used this as a starting point to extract over 140 million customer records. The reputational and financial damage to Equifax was huge, including over $1 billion in additional security spending.
In 2018, attackers took advantage of an internet-connected fish tank thermostat in a casino. They used its location in the network to reach into the casino’s internal network and exfiltrate personal details of the casino’s high rollers. Even the most innocuous IoT device, if left vulnerable, can provide a starting point for a very sophisticated attack.
More recently, a vulnerability in a software module named ‘log4j’ was disclosed. The vulnerability allows an attacker to run application code within the target’s infrastructure. Within 24 hours of disclosure, users were reporting that attackers were running crypto miners to steal CPU resources and generate cryptocurrency. Other attacks have included credential stealing, installation of ransomware, and nation-state hacking.
Software vulnerabilities and attacks against them are common. Security professionals must continuously assess the risk posed by vulnerabilities and best focus their organization's efforts on fixing those vulnerabilities that matter most.
In your opinion, which industries should put extra attention towards application security?
Some would say that highly regulated industries, like finance and healthcare, should pay the most attention to application security. But the truth is that every organization is at risk. Bad actors target a wide variety of valuable assets to attempt to exploit.
If you’re handling financial or customer data, then of course the threat is apparent – an attacker who can breach this data serves to gain rich rewards, imparting significant damage to your business and your customers. However, theft of financial or Personally Identifiable Information (PII) is not the only goal of an attacker. Ransomware attempts seek to lock access to critical operational information, requiring the organization to either pay to unlock or suffer significant business interruption. Installation of crypto miners steals CPU resources, impacts the performance of applications, and increases hosting costs. Even if you have few valuable assets, attackers can use a foothold in your infrastructure to spread laterally and attack other targets.
No industry can afford to be complacent or ignore the risk of a cyberattack.
As more organizations move their workload to the cloud, myths surrounding the cloud landscape are still persistent. What misconceptions do you run into most often?
When we talk to users, we find they are very well informed and aware of the risks inherent in cloud-native applications, whether installed on-premises, on clouds, or serverless. However, they often find it challenging to understand the wide range of security solutions, whether open-source, commercial, or cloud-integrated. Each claims to improve security in some way, often with significant investment from the user. There are a lot of acronyms (CWPP, CSPM, NDR/EDR/XDR, SIEM, etc.) that appear to overlap and have a high degree of complexity.
We seek to help organizations navigate this sea of products and solutions, to understand the relative strengths of each and how they complement or compete with each other. We’re crystal clear about the role of Deepfence’s products, ThreatMapper and ThreatStryker, and how they can integrate within a wider security initiative.
What are the best practices companies should follow when developing, and, when launching applications?
Because modern applications and services rely heavily on shared, open-source components, securing them is best done as a collaborative, community effort.
Follow good “shift left” practices to ensure the code you push to production is as free from vulnerabilities as possible. Open source and bundled solutions exist, as do commercial ones, and they all draw from essentially the same vulnerability lists.
Follow best practices to secure your runtime platforms, whether cloud, Kubernetes, or on-premises. Cloud providers often offer auditing tools to ensure compliance; open-source tools exist for many additional situations. Commercial CSPM tools are also effective for verifying compliance and applying policies.
Continue to monitor production assets for late-breaking vulnerabilities. Vulnerabilities can be disclosed in production packages months or years after the package is released, so standard “shift left” practices will not catch these. Deepfence ThreatMapper is an open-source security platform, available on GitHub, for production environments that can be used to discover and prioritize production vulnerabilities.
Develop a process for observing and correlating security events in your production platforms. Behind the noise of internet-sourced recon traffic, attackers will leave subtle fingerprints that can be woven together to reveal the bigger story. Deepfence ThreatStryker gathers indicators of attack (network recon and weaponization traffic), indicators of compromise (on-host system events), and other data to tell the attack story.
What does the future hold for Deepfence?
The ThreatMapper open-source platform is at the core of our future. Since its launch in October 2021, it has grown to more than 1,000 GitHub stars and more than 100,000 sensor installations. As we look ahead, we aim to inspire continued support and growth in the community.
We firmly believe that security is a public good. Everybody, whether developers, enterprises, customers, and end-users, benefits from security improvements. The sources for a great many security products – the threat feeds, vulnerability lists, and signatures – are created and managed as a community effort. This open, accessible approach is reflected in our own open-source projects.
ThreatMapper will remain as an entirely open source solution. Taking inspiration and direction from the community, we will continue to innovate and build a security and threat management product that benefits all.