Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Use CNCF’s Falco to Protect Yourself Fro...

How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! by Marat Salakhutdinov @Sysdig

cncf-canada-meetups

October 18, 2023
Tweet

More Decks by cncf-canada-meetups

Other Decks in Technology

Transcript

  1. How to Use CNCF’s Falco to Protect Yourself From the

    New SCARLETEEL Attack! Marat Salakhutdinov Senior Customer Solutions Engineer at Sysdig
  2. Sysdig 2023 Global Cloud Threat Report 1. Cloud Automation Weaponized

    2. 10 Minutes to Pain - every second counts 3. A 90% Safe Supply Chain Isn’t Safe Enough 4. Attackers are Hiding Among the Clouds 5. 65% of Cloud Attacks Target Telcos and FinTech
  3. What is Falco? • Runtime security engine • Observability for:

    ◦ Endpoints ◦ Cloud infrastructure • Built on eBPF • Integrated with Kubernetes CNCF INCUBATED PROJECT
  4. Beyond system calls and containers Plugins are dynamic shared libraries

    which allow Falco to collect and extract fields from streams of events
  5. Resources Get started at Falco.org Check out the Falco project

    in Github Get involved in the Falco community Meet the maintainers on the Falco Slack Follow @falco_org on Join a Falco workshop
  6. Demo Environment Details K8S cluster running on an EC2 node

    (with IMDSv1). • Vulnerable Spring Boot Application • Falco as a daemon set on k8s cluster • Falco Sidekick • Falco Sidekick UI • Falco Cloudtrail plugin • Falco AWS Cloudtrail terraform module An attacker host to execute the infiltration and exploit of the attack. • Rootkit installed. • Other tools to escalate privileges and lateral movement.
  7. Is runtime security enough? What helps the attacker to execute

    the attack: • Vulnerable packages • Vulnerable binaries ◦ In Runtime • Privileged containers • Extensive Permissions • Misconfigurations 12 Vulnerability Management * CSPM / KSPM / CIEM * CNAPP * * - its all can be done by Sysdig CNAPP Platform
  8. CNAPP: SCARLETEEL - Sysdig demo lab Features and flows of

    the Lab: • Runtime Threat Detection and Response • Cloud Threat Detection (AWS account) • Vulnerability Management for K8s workloads • Security Posture ◦ CSPM: Cloud Security Posture Management ◦ CIEM: Cloud Identities and Entitlements Management 13