Infinity War: Threat in the Docker Images

Background: In one of our previous articles, we discussed analyzing Docker images for vulnerabilities at the operating system level. In this article, we will explore another attack pattern related to image compromise by threat actors, which can become a significant pain point in the supply chain.

Threat Landscape against docker images: There are several ways a locally stored image can be compromised. One method is component compromise, and another is maintainer compromise. In both cases, advanced anomaly detection may not be necessary. Instead, remote image integrity checks can be used to verify whether the local SHA-256 value exists in the environment and correlates correctly.

First of all, we can use the local CLI to retrieve the SHA-256 hash of locally stored Docker images.

In the next step, we can use API calls to Docker Hub to retrieve all tags along with their corresponding SHA-256 digests. These values can then be correlated with our local SHA-256 hashes. If any mismatch is detected, an alert should be sent to the Incident Response (IR) team for validation.

Another method is to maintain a whitelist of approved images. If any unknown or unauthorized image is added to the environment, a notification should be sent to the IR team for further inspection and validation.

Conclusion: Each great solution is based on simple fundamental principles, which provide baseline protection for your environment. Building on these essentials, you can then introduce more advanced security measures tailored to your specific needs .