Как Runtime Radar помогает обнаруживать атаки на цепочку поставок: кейс LiteLLM

Всем привет! Это Сергей Зюкин, разработчик экспертизы runtime-radar — опенсорсного продукта, обеспечивающего безопасность контейнерной среды выполнения. Я подготовил для вас статью, в которой расскажу, как можно обнаружить инфостилер, встроенный в библиотеку LiteLLM в результате ее недавней компрометации . Помимо этого, мы, конечно же, рассмотрим и боковое перемещение внутри Kubernetes-инфрастуктуры, которое происходит, если скрипт инфостилера запускается в поде с достаточными привилегиями. Мы не смогли удержаться и проверили, что Runtime Radar может обнаружить при реализации подобной атаки. Но обо всем по порядку.

https://habr.com/ru/companies/pt/articles/1025316/

#kubernetes #runtime_security #containers #supply_chain_attack #ebpf #tetragon #runtimeradar #open_source #security

🛡️ Container Security

Opening: The article "5 Ways to Secure Containers from Build to Runtime" frames container risk as a lifecycle problem: containers are created and destroyed quickly, but vulnerabilities in images, dependencies, and configurations can persist and propagate at scale.

Technical Details: The piece structures protection into five core practices across the build-to-runtime continuum. These practices emphasize:
• Secure build processes and provenance tracking, including producing metadata such as SBOMs and image signing to assert origin and contents.
• Automated image scanning for known CVEs and misconfigurations during CI/CD gates to catch issues before images are promoted.
• Minimizing image attack surface by using smaller base images and removing unnecessary packages and tooling.
• Enforcing least-privilege and runtime constraints via container runtime policies, capability restrictions, and read-only filesystems.
• Continuous runtime monitoring and alerting for drift, suspicious process behavior, and anomalous network activity.

Analysis: Treating container security as end-to-end reduces windows of exposure. The article highlights that fast creation/deletion cycles demand automation and policy-as-code so teams do not rely on manual checks. Emphasis is placed on integrating security into developer workflows to scale controls without blocking delivery.

Detection: The text recommends embedding detection earlier in the pipeline and correlating CI/CD metadata with runtime telemetry. Examples include alerting on images with unresolved CVEs, unexpected privilege escalations, and unsigned or unscanned images running in production.

Mitigation: Conceptual mitigations discussed are pipeline hardening, image provenance (SBOMs and signing), aggressive image pruning, runtime policy enforcement, and continuous patching programs.

Limitations: The article notes operational constraints such as legacy images, third-party dependencies, and the need to balance developer productivity with stricter controls. It stresses incremental adoption of the five practices rather than a big-bang rollout.

References: No specific CVE or IoC is presented; the guidance is presented as operational best practices for engineering and security teams managing containers at scale.

🔹 containers #sbom #runtime_security #kubernetes #security

🔗 Source: https://thehackernews.com/2025/11/why-soc-burnout-can-be-avoided.html