Full Report
Find out quickly where OS and open-source packages or libraries are deployed in your cloud environments and secure them before potential issues arise.
Analysis Summary
# Tool/Technique: Wiz Agentless SBOM Search Capabilities
## Overview
Wiz is extending its agentless Software Bill of Materials (SBOM) capabilities to allow users to search for specific libraries and packages, along with their versions, deployed across cloud environments. This functionality is primarily designed to improve visibility into application stacks, identify obsolete or vulnerable components (like specific versions of `xz-utils`), ensure compliance, and facilitate rapid response to zero-day vulnerabilities.
## Technical Details
- Type: Tool (Security and Cloud Security Posture Management platform feature)
- Platform: Cloud environments (VMs, container images, running workloads)
- Capabilities: Agentless scanning, runtime validation, SBOM generation (CycloneDX, SPDX formats), comprehensive search across the deployed software inventory.
- First Seen: Information indicates this is an extension of existing Wiz SBOM capabilities, highlighted in the context of the recent `xz-utils` vulnerability disclosure.
## MITRE ATT&CK Mapping
Since this is a defensive tool for vulnerability management rather than an offensive technique, direct offensive ATT&CK mappings are not strictly applicable. However, its function maps to defensive capabilities:
- **TA0001 - Initial Access** (Mitigation focused on preventing access via known vulnerable components)
- **TA0003 - Persistence** (Mitigation focused on removing vulnerable components that could be exploited for persistence)
- **TA0006 - Credential Access** (Mitigation against exploitation leading to credential theft)
- **TA0009 - Collection** (Mitigation against exploitation leading to data collection)
The capabilities directly support:
- **T1552 - Unsecured Credentials** (By identifying vulnerable systems before exploitation)
- **T1190 - Exploit Public-Facing Application** (By identifying vulnerable software components actively exposed)
- **T1581 - Develop Capabilities** (By helping defenders understand their exposure to known vulnerable components used by threat actors)
## Functionality
### Core Capabilities
- **Agentless Scanning:** Scans all resources, active or not, to detect installed technologies.
- **Runtime Validation:** Uses the Wiz sensor to validate packages and libraries currently in use.
- **Compliance Reporting:** Offers SBOM export in standard formats like CycloneDX and SPDX for compliance adherence.
- **Inventory Management:** Provides a complete, constantly updated inventory of software components.
### Advanced Features
- **Targeted Search:** Allows users to search specifically for a library or package name and version (e.g., `xz-utils` versions 5.6.0 and 5.6.1).
- **Remediation Prioritization:** Enables identification of End-of-Life (EOL) or End-of-Support (EOSL) versions.
- **Contextual Risk Assessment:** Combines SBOM search results with Wiz context, allowing filtering based on resource exposure (e.g., publicly exposed) or privilege levels to quickly assess 0-day impact and potential exploitation surface.
## Indicators of Compromise
This section is not applicable as Wiz is a defensive tool for vulnerability management, not malware. Indicators are irrelevant in this context.
## Associated Threat Actors
This tool is used by **Security Teams, Cloud Engineering Teams, and Defenders** to manage risk associated with threat actors who might exploit vulnerable software components like those in `xz-utils`.
## Detection Methods
This tool focuses on **Detection and Identification** of vulnerable assets rather than detecting active intrusion:
- **Signature-less Detection:** Identifies components based on installed file paths/metadata rather than malicious signatures.
- **Behavioral Detection:** Identifies components based on runtime validation confirming active usage.
- **YARA Rules:** Not directly mentioned, as this is a platform feature relying on deep inventory mapping.
## Mitigation Strategies
- **Targeted Remediation:** Allows creation of precise update plans targeting only workloads running obsolete or vulnerable library versions.
- **Risk Triage:** Rapidly assessing the exposure of resources affected by recently disclosed vulnerabilities (like CVE-2024-3094).
- **Compliance Assurance:** Ensuring all deployed components adhere to regulatory tracking requirements.
## Related Tools/Techniques
- Agentless SBOM Generation
- Cloud Security Posture Management (CSPM)
- Software Supply Chain Security Tools
---
*Contextual Note: The article heavily references the **xz-utils backdoor (CVE-2024-3094)**, illustrating the necessity of this search capability for quickly identifying affected instances of libraries like `liblzma` across cloud infrastructure.*