Introducing New Runtime Security Features for Modern Containerized Environments

Abstract pink and red circular design with a small shield icon containing a white virus symbol at the center. The image has a modern, minimalist style, accompanied by the text upwind in the top left corner.
Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

At Upwind Security, we continuously enhance our security capabilities to address emerging threats and provide unparalleled runtime protection for containerized environments. In this update, we are excited to introduce new detection and prevention policies designed to secure workloads against sophisticated attacks

Next-Generation Threat Detections

Over the past several weeks we have added additional detection policies to identify advanced threats at runtime. These new policies focus on syscall detection, process monitoring, and network anomaly identification. With these new detections, we focus on containerized application behaviour and provide even more advanced security for applications at runtime. Below, we will dive into the specific detections and how Upwind leverages them to provide security teams with next-generation protection.

Process Monitoring

Monitoring processes helps track what applications are running, their relationships with other processes, and the arguments they use. This provides valuable insight into system activity, helps detect unexpected or unauthorized processes, and aids in understanding the flow of execution within the system.

We’ve enhanced our process monitoring to detect:

  • Management Tool Downloads: Identifies downloads of tools like kubectl or other management utilities inside containers, which may signal preparation for lateral movement or privilege escalation.
  • SSH Sessions in Containers: Detects the initiation of SSH sessions within containerized environments, a common tactic for gaining unauthorized remote access.
  • Attack Techniques on Developer Tools: Monitors for attack patterns targeting developer tools like IDEs.
  • Source Code Package Downloads: Flags unusual or unauthorized package downloads within containers, which could indicate supply chain attacks or unauthorized software installation.
  • Process from Modified Binary Creating Network Connections: Detecting when a process running from a modified binary attempts to establish a network connection, indicating potential compromise or malicious activity.
Screenshot of a security platform interface displaying an interactive SSH session in a container. The left panel shows detection statistics. The main panel details an overview, risk analysis, and process details with a step-by-step flowchart.

By performing process monitoring at runtime, Upwind is able to immediately identify malicious processes running in a customer’s environment and provide them with the ability to kill the process or create a prevention policy to stop it from running in the future.

Syscall Analysis 

Syscalls, or system calls, are interfaces that allow user-mode processes to request services or functions from the kernel, such as file operations, process management, or network communication. They serve as a controlled gateway for running kernel-level code, ensuring security and stability while accessing core system resources. Monitoring syscalls is more effective than just monitoring processes and arguments because it provides deeper visibility into how applications interact with the kernel. 

Upwind monitors low-level system calls to detect:

  • Raw Socket Creation: Identifying unauthorized attempts to create raw sockets, which are often used in network attacks like packet sniffing or spoofing.
  • Suspicious Module Loads: Detecting unusual or malicious modules being loaded into memory, which can indicate malware or unauthorized modifications.
  • Remote Code Execution (RCE): Flagging RCE attempts through syscall anomalies, helping prevent attackers from executing arbitrary code on your systems.
Screenshot of a dashboard displaying a security alert for a container process creating a new socket. The interface shows an overview, risk analysis, process details, and detection timeline with highlighted risk scores and timestamps.

By leveraging syscall analysis, Upwind is able to provide even more granular visibility into process-level monitoring and detect actions made by the process. By doing so, we provide earlier detection of malicious behavior and more granular insights into potential threats.

Diagram showing a process in user space making syscalls to the kernel. The kernel section includes Read File and Create Socket operations. The upwind logo is in the top right corner.

Key Threat Spotlight: Late-Stage Module Loading

To give a deeper example of how these threat detection policies provide advanced runtime protection, we will spotlight one of the policies listed above – Suspicious Module Loads.

Containers are typically built with specific, pre-approved binaries and libraries. Any deviation from this, especially the loading of new modules long after the container’s initialization, can indicate malicious activity. Such late-stage module loading might be used to introduce spyware, backdoors, or data exfiltration tools, bypassing initial build-time security measures.

How Upwind’s Syscall Monitoring Captures This

By using syscall monitoring, Upwind detects when a process within a container loads a new library or module that was not part of the container’s build configuration.

We then send out real-time alerts when these unexpected module loads occur, enabling security teams to investigate and respond immediately before the activity escalates.

Why It Matters

Attackers often exploit runtime vulnerabilities to inject malicious code or libraries into memory. By monitoring for these module load anomalies, organizations can detect and halt attacks such as the introduction of credential stealers, encryption malware for ransomware, or tools designed for lateral movement.

These detections are particularly effective against sophisticated threats where attackers attempt to evade traditional security measures by running inside a legitimate process.

Diagram illustrating a memory partition with four processes. One process is highlighted, expanded to show three modules in a separate section. Two modules are marked in green and one in red. The Upwind logo is in the top right corner.

How Upwind Provides Advanced Threat Detection Capabilities

Cloud workloads have become a cornerstone of modern application deployment, but their nature and dynamic environments create unique security challenges. Our new capabilities directly address these challenges by:

  1. Detecting Advanced Attack Techniques: By monitoring syscall activities, processes, and audit logs, we can uncover common and advanced attack techniques, including reconnaissance, privilege escalation, and exploitation attempts.
  2. Ensuring Runtime Integrity: Monitoring binaries, processes, and system calls ensures that your containerized environment remains secure and free from unauthorized modifications.

Coming Soon

As we continue to advance our next-generation threat detection machine, we will be adding a number of new functionalities in the Upwind platform:

  • Threat Detection Orbital View: Easily visualize threat findings and associated context, including resources, identities, and APIs.
Screenshot of a cybersecurity platform displaying a network threat analysis. The interface shows threat detections on the left, including categories like critical and high. A diagram on the right maps out connections and potential vulnerabilities.
  • Detection Timelines: Detailed timelines to connect events from build to runtime leading up to a detection.
Screenshot of a cybersecurity platform showing detection details. The interface displays a timeline of security events, a summary of detected threats, and detailed incident analysis, highlighting an artificial-severity reverse shell execution.
  • Threat Correlation: Automatically view other active threats and threat detections over time.
Screenshot of a cybersecurity dashboard showing active threat detections, including two critical, 14 high, 15 medium, and 13 low threats. The right pane displays a specific threat with details, activity timeline, and other active threats with dates.

To learn more about Upwind’s advanced threat detection capabilities, visit the Upwind Documentation Center (login required) or schedule a demo.

Introducing New Runtime Security Features for Modern Containerized Environments

Further Reading

A red background with a white bug icon symbolizes a critical vulnerability. The text reads: Critical Vulnerability Impacting FortiOS and FortiProxy Systems (CVE-2024-55591) with Upwind logo in the top-right corner.
Research

New CVE-2024-5591 Zero-Day Exploitation of Fortinet Firewalls 

Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

On January 14, 2025, Fortinet announced a critical vulnerability impacting its FortiOS and FortiProxy systems, CVE-2024-55591 is an authentication  bypass zero-day vulnerability that has been actively exploited since mid-November 2024, enabling attackers to hijack Fortinet firewalls and compromise enterprise networks. Successful exploitation grants remote attackers super-admin privileges via malicious requests to the Node.js websocket module. Discovery […]

A warning icon in a triangular shape is centered against a pink background. Text below reads: Zero-Day Exploitation of Ivanti Connect Secure VPN Devices (CVE-2025-0282 & CVE-2025-0283). The Upwind logo is in the top right corner.
Research

New Zero-Day Exploitation of Ivanti Connect Secure VPN Devices with CVE-2025-0282 and CVE-2025-0283

Jan 09, 2025

On January 8, 2025, Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024. This vulnerability, an unauthenticated stack-based buffer overflow, allows remote code execution without authentication, posing a serious risk of further network compromise. Discovery and Response […]

An illustration with a pink background featuring a white bug icon. Text reads: Apache Tomcat Vulnerability (CVE-2024-56337) Exposes Servers to RCE. The Upwind logo is in the top right corner.
Research

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE

Moshe Hassan Upwind

By Moshe Hassan

Dec 24, 2024

Overview Apache has released a security update to address an important Apache Tomcat vulnerability (CVE-2024-56337) that could result in remote code execution (RCE) under certain conditions. This new CVE is closely tied to the earlier Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation (CVE-2024-50379), for which an incomplete mitigation was issued on December 17, […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security