Full Report
Agentless visibility and risk assessment paired with Wiz Runtime Sensor real-time detection for the best of both worlds
Analysis Summary
# Tool/Technique: Wiz Runtime Sensor
## Overview
The Wiz Runtime Sensor is a new capability launched by Wiz to enhance threat detection and response for cloud workloads. It provides real-time visibility and monitoring within running workloads, particularly in Kubernetes clusters, by leveraging eBPF technology. Its primary purpose is to contextualize cloud security detections by correlating runtime signals with agentless cloud context, enabling defenders to understand the full scope and impact of attacks across cloud infrastructure, control planes, and individual workloads.
## Technical Details
- Type: Tool / Detection Mechanism
- Platform: Cloud Workloads (especially Kubernetes clusters)
- Capabilities: Real-time monitoring of processes, network connections, file activity, system calls, endpoint detection, and threat correlation.
- First Seen: Public Preview announced in the provided context.
## MITRE ATT&CK Mapping
The tool specifically aims to detect behaviors associated with various cloud and Kubernetes threats, which map to the following tactics:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0003 - Persistence**
- **TA0005 - Defense Evasion**
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (e.g., RCE detection)
- **TA0008 - Lateral Movement**
- T1550 - Use Alternate Authentication Material (Implied through lateral movement detection)
*Note: Specific T### IDs are derived from the mentioned detected techniques (container escape, RCE, lateral movement, persistence, remote shells).*
## Functionality
### Core Capabilities
- **eBPF-based Agent:** Lightweight agent deployed within Kubernetes clusters for real-time signal collection.
- **Real-time Monitoring:** Visibility into running processes, network connections, file activity, and system calls to detect malicious behavior.
- **Threat Detection:** Detects known and unknown threats including cryptocurrency miners, remote shells, ransomware, and rootkits.
- **Contextual Correlation:** Correlates runtime signals with cloud activity and audit logs via the Wiz Security Graph to uncover end-to-end attacker movement.
### Advanced Features
- **Cloud-Native Attack Coverage:** Built-in detections, updated by the Wiz Threat Research team, specifically targeting techniques like container escape and remote code execution (RCE).
- **Risk Prioritization Enrichment:** Uses runtime signals to enrich agentless vulnerability assessments, showing which vulnerabilities are actively exploited by running workloads.
- **Unified Visibility:** Provides a holistic view by correlating workload activity, cloud activity, and infrastructure context, overcoming the limitations of siloed, traditional tools.
- **Forensics Features:** Provides extended capabilities beyond basic detection.
## Indicators of Compromise
As the Wiz Runtime Sensor is a defensive tool designed to *detect* IoCs rather than generate them, the focus is on the behaviors and artifacts it monitors:
- File Hashes: N/A (Detects artifacts based on observed behavior)
- File Names: N/A (Monitors file activity)
- Registry Keys: N/A (Platform-dependent monitoring)
- Network Indicators: Monitoring of suspicious network connections related to command and control or lateral movement within the cloud environment.
- Behavioral Indicators: Detection of indicators associated with:
- Cryptocurrency mining processes.
- Execution of remote shells.
- Indicators of ransomware execution.
- System call anomalies indicative of rootkits.
- Process behavior signifying container escape.
- Activities suggesting lateral movement across cloud resources.
## Associated Threat Actors
- **TeamTNT (Suspected reference):** The article references a recent attack pattern where an attacker, suspected to be related to TeamTNT, gained container access, moved laterally, and stole data, illustrating the multi-layer cloud attacks the sensor is designed to counter.
- **Cloud and Kubernetes Actors:** General detection coverage for actors utilizing cloud and Kubernetes-specific exploitation techniques.
## Detection Methods
- **Signature-based detection:** Utilizes updated rulesets for transparent and consistent detection of known threats.
- **Behavioral detection:** Real-time monitoring of system calls, process execution, and network activity to identify novel/unknown malicious behavior.
- **Complex Correlation Detections:** Utilizes correlation across multiple signals (runtime, cloud audit logs) for high-fidelity alerts.
## Mitigation Strategies
- **Real-time Response:** Utilizing the end-to-end visibility provided by correlation for immediate and targeted response actions.
- **Vulnerability Remediation Prioritization:** Focus remediation efforts on vulnerabilities identified as being actively used by running workloads via runtime signal enrichment.
- **Holistic Security Platform:** Consolidating detection across build-time (agentless) and run-time (sensor) for comprehensive protection.
- **Tool Integration:** Ability to ingest alerts from existing tools (like Amazon GuardDuty) to centralize analysis and minimize tool sprawl.
## Related Tools/Techniques
- **Wiz Security Graph:** Agentless, API-based visibility and cloud risk assessment tool that the Runtime Sensor enhances and correlates with.
- **Cloud Detection and Response (CDR) Module:** The Wiz Runtime Sensor extends the capabilities of this existing module.
- **Traditional Endpoint Detection and Response (EDR) solutions:** The platform intends to integrate signals from solutions like SentinelOne, contrasting and complementing traditional EDR approaches which often lack deep cloud context.