How BigID Discovers Its Container Images in Public Container Registries
The Challenge
The usage of containers has greatly driven the growth of cloud-native technologies— changing how many applications are designed, developed, deployed, and managed. With this evolutionary change across the technology industry, there are other significant security obstacles to overcome. One of the most important obstacles is mitigating exposed container registries that hold proprietary code.
Container registries are a very critical part of containerized infrastructure and with these left exposed it introduces supply chain risks. Supply chain attacks are one of the more prominent methods companies are breached today. Going back to SolarWinds or Log4j, this trend has only ramped up with more and more breaches being reported due to supply chain attacks. A report from TrendMicro, highlighting shocking research about how much container registries are currently exposed, how attackers can and eventually will leverage this to their advantage.
Some of the most shocking statistics relating to container registries are:
- 9.31 TB worth of downloaded images
- 197 dumped unique registries
- 20,503 dumped images
BigID has faced this similar challenge with a number of our container images being uploaded to various public registries without our consent. As a way to combat this, the BigID Security Team took matters into their own hands to develop an automated process to identify, verify, and eliminate the risk.
Our Approach
The BigID Security Team approached this problem by using AWS Lambda to discover BigID container images in public container registries like DockerHub and the AWS ECR public image gallery. Below is an architecture diagram of our approach:
These lambdas are triggered on a daily cadence by AWS EventBridge and then query a public container registry (1).
If a BigID container image is found, the lambdas read from a shared DynamoDB table for historic findings of the images previously discovered (2). If the image and publisher are unique, the lambdas write important indicators to the database that will then be passed to our SOAR platform for case management (3). It is important to note that there is a time to live (TTL) on each entry written to the DynamoDB table, that way the lambdas can notify a team member that the containers are still hosted on the public container registry it triggered on.
Once the case management portion of the workflow begins, our SOAR platform queries our in-house CSPM for the image hash digest found in the registry (4). If the hash digest is discovered in our CSPM, the team is alert on slack of a true positive— and if not— it still alerts for further manual validation (5).
Once the team has validated that the image is indeed a BigID container image and has been uploaded without our consent, we email a takedown request under the United States’ Digital Millennium Copyright Act (“DMCA notices”). DMCA is a federal law that is designed to protect copyright holders, such as BigID, from the unlawful reproduction or distribution of their works.
We provide the following information to DockerHub dmca@docker[.]com support, for AWS ec2-abuse@amazon[.]com, amongst others when we issue a takedown request which will require the following:
- An electronic or physical signature of a person authorized to act on behalf of the copyright owner
- Identification of the copyrighted work that you claim is being infringed
- Identification of the material that is claimed to be infringing and where it is located on the Service
- Information reasonably sufficient to to contact you, such as your address, telephone number, and e-mail address
- A statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or law
- A statement, made under penalty of perjury, that the above information is accurate, and that you are the copyright owner or are authorized to act on behalf of the owner
These are the steps BigID has taken to not only enhance the overall security posture of the organization, but provide us the ability to be proactive through automation to eliminate outside risks. By having this in place, we can operate more effectively and efficiently to ensure that BigID code and images are not publicly accessible and further eliminate our supply chain risk.
What’s Next
Our automation is far from being automated 100% of the way through. There are still manual steps that a security engineer has to take after an image is found publicly available on the internet. There are takedown notices that need to be sent and we hope to be able to fully automate by using our SOAR platform’s case management feature and automation.