Unlocking Security: SBOM Benefits for Container Investigations

Background: During the incident response analysis stage, it is mandatory to answer the question of how the attacker appeared inside the environment. This becomes especially challenging when dealing with a Docker ecosystem. In such cases, if we want to check whether any exposed Docker containers were vulnerable, we need to leverage a specialized methodology.

Methodology: This methodology is especially useful in cases where the image was downloaded from Docker Hub. To leverage this approach during an investigation, you need to incorporate three main components:

SBOM Approach + CVE Database + Python Environment

First, generate an SBOM (Software Bill of Materials) from the container. This will produce a comprehensive list of all dependencies and other relevant information. Next, systematically check each listed component against CVE (Common Vulnerabilities and Exposures) databases to identify any known vulnerabilities. Based on the results, you can pinpoint critical elements and focus your attention on the findings. This process is fundamental at this stage of the investigation. Of course, depending on the specifics of the case, you may need to dive deeper into the analysis as required.

In this example we can see one of the implementation of noted methodology

Conclusion: Vulnerability assessment is critical for the overall incident response stage, and it can help reduce the attack surface. Currently, organizations are moving toward containerization, which is becoming the cornerstone of many technologies.