Hi everyone. First of all, thank you all for joining the conf42 Kube Native 2024 conference, and a big thanks to Mark Bakowski for hosting this event and accepting my talk. My name is Alexander Tronick. I work as a customer solutions engineer at Systdig, and in today's session, I'm going to show you how we can use Open Source project file Sidekick to detect threats in Kubernetes workloads. I'll provide some initial context using slides, after which we'll jump into the lab environment. A little bit about me. I have a technical background in telecommunications, and I've been working for 10 years in various engineering roles. At the time when I completed my electrical engineering master's degree, cloud computing and container technology weren't covered by any of the programs, and I totally side quested into these fields as a hobby by following along content creators such as NetworkChalk. and doing the training on platforms such as RangeForce and TriHackMe. I'd say a major lesson here would be to never stop learning, invest in yourself, and find an ethical hobby with a great return on investment potential. From this slide, you can conclude how I enjoy spending some of my time, and where you can find me online. From making YouTube walkthroughs, blog writing, participating in AWS Community Builder and Cisco Insider Champion Communities, and staying current with cloud and Kubernetes security. Right now, I'm going after success coachings, customer success manager certification, so it's never a dull moment. And if any of these I've mentioned so far sparked your interest, connect with me on LinkedIn and we can continue the conversation. Speaking on ROI, cloud and Kubernetes are currently known as fields with great opportunities that connect you with the most amazing people and pay well. Cloud and Kubernetes go great hand in hand, from creating highly available and resilient services, working on internal developer platforms, to innovating with large language models. You will frequently find that applications served on public cloud are behind the scenes built using Kubernetes. So in this day, age, and economy, that's something you can expect to see and hear. Cloud and Kubernetes skills wanted across software and security engineering, sales, and customer success. Related to my badges from the previous slide, here I highlighted open job roles from these vendors, including my employer, Sysdig. So this is something for motivation to start looking into Kubernetes and cloud. because the times are hybrid and it's not very realistic to center your technical skill set solely around services that work on premise. So let's say that any service that has to be developed and offered to a wide audience should be secured too. In cloud security, there is this concept of cloud native application protection platforms, CNAP solutions, capable of securing infrastructure and applications, whether based on full blown virtual machines or microservices, from the moment of their local development, while still being available only in manifest files, to their runtime. where you can actually access an application serving a certain web page live. Not all malicious actors will rely on common vulnerabilities and exposures, CVs for short, to cause damage and gain unauthorized access to our offering. Some might try to leverage identities not being configured according to the least privileged practice. And, Compliance failures. When we rely on reports as snapshots in time to prove our offering's adherence to industry's best practices and relevant benchmarks. And then, there could be insider threats too. Using a job relevant analogy, It's like a candidate who looks good on paper, interviews well, and gets inside a company, but has a malicious intent. So this is where threat detection is of utmost importance. Speaking from my personal experience working with Sysdig Secure CNAP, its threat detection engine is based on an open source Falco project capable of detecting early indicators of an attack in containerized environments, such as using reconnaissance scripts or other open source tools. malicious actions across MITRE ATT& CK framework as obfuscation, privilege escalation, log deletion, downloading binaries to containers, exfiltration attempts, shell history deletion, bulk renaming and recreating data. files extensions, and other actions connected with ransomware campaigns. A bit on Falco. Falco is, as of this year, a CNCF graduated project, meaning it's considered stable and it's used successfully in production environments. Not going deep into architecture weeds right now, for this session just know that Falco hooks into the Linux kernel via a driver, either a kernel module or an eBPF probe, and can collect system calls. All these events are parsed from kernel space to user space, where Falco rules, which are essentially filters of your interest, are applied, and the final outputs can be delivered to certain locations. Falco can associate each kernel event with the exact container attribute, like container ID, name, image repository, tags, as well as Kubernetes attributes, such as namespace or pod name. And on the right side, there is an example of a microservice build. based architecture, leveraging Falco to understand what is causing anomalies within a Kubernetes cluster. So when speaking innovation, container runtime insights are important to consider because traditional security tooling for event management wasn't built with potential malicious Kubernetes events and short lived container logs in mind. Falco is usually associated with a command line, but there is this public page, as seen on the left and middle part of the slide, where you can conveniently browse through existing Falco rules in detail, including rules description, condition when the rule will be triggered, output content, and rule tags. On the right, SysTick's 2024 Cloud Native Security and Usage Report lists top triggered detections. In any environment, Where containerized workloads are being experimented with locally or served publicly, there should be tooling in place to detect and potentially safeguard from such actions. Falco natively provides just a handful of destination for its outputs. And this is where Falco Sidekick open source project comes in handy. It can fan out Falco's output to over 60 destinations across web, Falco. chat ops, logging, streaming, alerting, and observability platforms. As for the web output for Falco Sidekiq, there is Falco Sidekiq UI, a user friendly way to track Falco events across triggered rules, event severities, tags of interest, and comes with Swagger documentation for API queries. So that would be the core of our Thread Detection hands on lab for today. The link here and QR code will send you to a Google Drive to download the virtual machine pre installed with all the tools for today's session. Let's say the last few words on the lab environment and then start the VM. VM's operating system is Kali Purple. A community project focused on defensive tooling structured around the NIST cybersecurity framework to identify, protect, detect, respond, and recover. The project aims to become the most comprehensive security operations center in a box. kind of solution. On top of Kali Purple, first installed are several tools to easily manage local Kubernetes cluster. And in the cluster, Kubernetes Goat as an interactive learning platform with real world Kubernetes misconfigurations is spun up and we will leverage one of its scenarios for falco sidekick detection. kube nomicon Was created to document offensive and defensive Kubernetes techniques inspired by Microsoft's Kubernetes threat matrix, which provides a framework for understanding Kubernetes tactics in a MITRE ATT& CK style. While the Microsoft Threat Matrix focuses on educating around Kubernetes tactics, techniques, and procedures through definitions, KubeNomicon expands on it by aiming to offer practical commands for both exploiting and defending against attacks in Kubernetes environments. For example, some of the tools that can be used to enumerate a Kubernetes environment are nmap and metasploit. We will also use Atomic Red Team containerized project to simulate real world attacks aligned with MITRE ADT and CK framework in a Kubernetes environment. These Atomics tests are in general immensely helpful to refine and enhance coverage by addressing any detection gaps. As we trigger Atomics test, we will monitor Falco Sidekick UI for real time thread detection. Now, let's switch to the VM. As a next logical step moving forward from today's session, I suggest looking into recently officially published Falco Talon project, a response engine for Falco detected threats in Kubernetes environments. Just to name a few actions that can be automated using Falco Talon, invoking an AWS Lambda function on a triggered Falco rule, then enforcing a Kubernetes network policy, and labeling a pod as suspicious or terminating it. I hope you enjoyed today's session. And that Mark will accept my future COM 42 applications. Linked on this slide, you can find Falco training that should enable you to start contributing to Falco and create your own rules. If you find today's topic interesting, join the Falco Slack community and let's stay in touch until the next session. Bye for now.