Honeypots in containerised environments

Abstract

Containers have gained popularity for their efficiency, allowing developers to package and deploy applications seamlessly, thus replacing VMs in the modern-day deployment scenario and becoming a strong base for cloud computation. However, this surge has attracted malicious actors, exemplified by frequent cases of misconfigurations and vulnerabilities. This problem has grown with modern adversaries targeting Container Infrastructure by exploiting escapevulnerabilities, that allow them to gain access to the host system. This paper provides an indepth analysis of container security, and looks at the approach of using containerised honeypots to detect and study such attacks as a potential solution. IN my initial study, I have explored the use of tools like Wireshark and Procmon in obtaining in-depth information about container events from the host system, and did a preliminary study of existing Container Security tools such as Trivy. Initial results reveal that while data can be extensively studied from the host for containers, with instances where running simple malware can also lead to ProcMon registering 180k events in a five minute timespan, challenges in correlating data from monitoring tools with malware runtime exist profoundly. Thus, we aim to further look at methods for dynamic data analysis, study artefacts for building honeypots, and look at automation for scalable deployment of such honeypots in the future.