Introduction to Threat Detection on Kubernetes with Falco
Using Kubernetes is simple, for example as a managed service such as Azure Kubernetes Service (AKS) and especially for first-day operations. In the long term, you want to gain visibility into the cluster and monitor certain events – this applies to non-managed service clusters, too.
For example, spawning a shell in a container is most likely not required and could be an attack. Falco is a threat detection engine for Kubernetes and can be used to gain visibility on such events. It is a project hosted by the Cloud Native Computing Foundation (CNCF) and was donated by Sysdig. Falco is essentially an engine that listens to syscalls in the Linux kernel, processes them with an engine and a rule set, and generates alerts if a rule matches. These alerts can be pushed to various output channels. This blog post is the first in a two-part series, and it covers the basic concepts behind Falco. The second blog post sets out the first steps with Falco on AKS and describes how to configure the basic setup and use the standard rule set. It also provides sample Log Analytics queries that allow you to learn about the present environment and adapt Falco rules to it. You can find the second blog post here.
Why you need Falco
There are many events in a Kubernetes cluster that are not common or should not even happen. Depending on the environment, there may already be mechanisms in place that allow operators to control or monitor these events, for example through a proxy. Falco makes it possible to monitor such events directly inside the cluster. The events may include the following (complete list available here):
- Outgoing connections to specific IPs or domains
- Use or mutation of sensitive files such as /etc/passwd
- Execution of system binaries such as su
- Privilege escalation or changes to the namespace
- Modifications in certain folders such as /sbin
A standard Kubernetes cluster does not provide any mechanisms for monitoring such events; a tool like Falco is therefore required. Gaining insights into such events inside the cluster makes it possible to detect attacks and potential malicious behavior and to alert operations staff at an early stage.
As with any tool, there are limitations. For example, a supply chain attack based on a malicious image does not trigger any of these events. A demonstration of such an attack can be found in this CNCF Community talk.
From a high-level view, Falco is comprised of the following components:
- Event sources (drivers, Kubernetes audit events)
- A rule engine and a rule set
- An output system integration
Falco internals (cf. Falco Docs, distributed under CC BY 4.0).
The momentum and acceleration of digital transformation has become obvious – over the past few months more than ever before. Consumers drive this change. Working, learning and shopping from home bring about challenges and opportunities – for consumers and for businesses. And this will continue, most likely accelerate.
Why does your business need a plan for Lifelong Learning in the current challenging setup? In this new situation, businesses require different know-how, new skill sets and adapted leadership. A few examples of what is required now more than ever: connect with existing and new customers via digital channels, improve the user experience in the digital sphere (e.g. optimization for smartphone, a page speed of maximum 3 seconds), introduce or optimize e-commerce and lead generation, offer video content regarding own products and services. Most businesses in Switzerland have yet massive “homework to do” in regards to these topics; and this poses yet again challenges and opportunities.
3 success factors to succeed navigating a course through troubled waters
- Firstly, our society needs to help people directly with health and well-being. People first. We need to provide tools to keep up and alive social contacts to family members and beloved ones over a (safe) distance. We need to help with platforms for great content of mental health and fitness, but also relaxing entertainment. We need to equip students to study from home. And we need to provide tools for many people to work from home – whenever possible – and manage the challenging balance of caregiving (for oneself and others) as well as work. Technology can help to create a sense of community by connecting people even when physical meetings are not possible.
- Secondly, we need to help businesses to manage the transformation to more business opportunities via digital channels, to help customers, to answer questions and to secure jobs. In a business environment, employees need to fully understand the potential and adopt new technologies that are often easily accessible over digital – whether a video conferencing solution, collaboration platform, internal process automatization or customer engagement and programmatic advertising platforms – it’s all available in the cloud and ready for adoption. Why such a strong focus on digital? Digital tools and skills have proven to be a lifeline in the recent crisis. Digital transformation can be a catalyst for accelerating recovery – for companies, their staff, customers, and the wider economy and society overall.
- Thirdly, we all need to engage and help via partners and organizations to enable at least some continuity in cultural and societal life and important non-profit areas, e.g. by getting involved in an NGO Event, engaging in the area of media literacy via an organization like ProJuventute, in the area of sustainability, research & academia, arts & culture, sports and others. We can help those who are most vulnerable from the crisis and ensure they find new training and opportunities in life, and to access new types of jobs thanks to digital in the future. This is what brings about a perspective not only in work but also in private life.
When tackled strategically the path of managing digital transformation thanks to a learning plan and mindset can be one of many more opportunities than risks; in the mid to long run technology will both help us to put business on a sustainable footing and create a more resilient, and a more human,
future – that will let us steer into calmer waters yet again.