Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! by Marat Salakhutdinov @Sysdig

cncf-canada-meetups
October 18, 2023
Technology
0
19

How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! by Marat Salakhutdinov @Sysdig

cncf-canada-meetups

October 18, 2023
Tweet

More Decks by cncf-canada-meetups

See All by cncf-canada-meetups
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope
cncfcanada
0
17
[CNCF Q1 2024] Remediate Kubernetes Security Threats in Real-Time with Falco Talon
cncfcanada
0
4
[Q2 CNCF 2023] Metrio, a Cloud run journey
cncfcanada
0
10
[CNCF Q1 2024] Agentic Installer LLMs Helm Charts by Chris Gruel @Akeyless
cncfcanada
0
7
Karpenter @LightSpeed
cncfcanada
0
26
Shorten the dev loop with mirrord
cncfcanada
0
14
October 2023 Montreal CNCF Meetup
cncfcanada
0
31
Beyond Dashboarding The Grafana Observability Stack by Steve Caron
cncfcanada
0
53
CNCF montreal - OpenSLO by Simon Boyer @Arctiq
cncfcanada
0
44

Other Decks in Technology

See All in Technology
複雑なビジネスルールに挑む:正確性と効率性を両立するfp-tsのチーム活用術 / Strike a balance between correctness and efficiency with fp-ts
kakehashi
5
3.7k
Password cracking: past, present, future
openwall
0
320
拓展QA日常工作的邊界
line_developers_tw
PRO
0
690
CloudflareとHonoを使って飲食店のレビューができるLINEアプリを作った
shinaps
2
770
スクラムに出会って「できた」を実感できるようになってきた話 / Scrum makes me feel like I can do it
yayoi_dd
2
120
マルチテナントマルチクラスタKubernetesでもUXを損なわない認証認可の勘所
pfn
PRO
1
170
Google Cloud Next '24 Recap in ZOZO AIに対応したBigQueryと今後のデータ分析について / AI-enabled BigQuery and future data analysis
shunsuke1014
0
140
20240516 OpenID TechNight Vol.21 OpenIDファウンデーション・ジャパンの 今後の活動について
oidfj
0
190
Domain-driven Design: A Complete Example
ewolff
2
280
YJIT Makes Rails 1.7x faster / RubyKaigi 2024
k0kubun
4
630
SLOいつ決めましょう?
abnoumaru
3
890
【SORACOM UG 四国】今だからこそ学ぶ!IoTの全体像と最新事例、生成AIの基礎
soracom
PRO
2
210

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
Become a Pro
speakerdeck
PRO
13
4.6k
Testing 201, or: Great Expectations
jmmastey
30
6.4k
The Power of CSS Pseudo Elements
geoffreycrofte
62
5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6.1k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Making the Leap to Tech Lead
cromwellryan
125
8.6k
Web Components: a chance to create the future
zenorocha
306
41k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Code Reviewing Like a Champion
maltzj
516
39k

Transcript

  1. How to Use CNCF’s Falco to Protect Yourself From the

    New SCARLETEEL Attack! Marat Salakhutdinov Senior Customer Solutions Engineer at Sysdig

  2. Marat Salakhutdinov Senior Customer Solutions Engineer @Sysdig linkedin: https://www.linkedin.com/in/salakhutdinov/ email:

    [email protected]
  3. None

  4. Sysdig 2023 Global Cloud Threat Report 1. Cloud Automation Weaponized

    2. 10 Minutes to Pain - every second counts 3. A 90% Safe Supply Chain Isn’t Safe Enough 4. Attackers are Hiding Among the Clouds 5. 65% of Cloud Attacks Target Telcos and FinTech

  5. SCARLETEEL attack 5

  6. “The Security Camera for Modern Apps” created by Sysdig

  7. What is Falco? • Runtime security engine • Observability for:

    ◦ Endpoints ◦ Cloud infrastructure • Built on eBPF • Integrated with Kubernetes CNCF INCUBATED PROJECT

  8. Beyond system calls and containers Plugins are dynamic shared libraries

    which allow Falco to collect and extract fields from streams of events

  9. Resources Get started at Falco.org Check out the Falco project

    in Github Get involved in the Falco community Meet the maintainers on the Falco Slack Follow @falco_org on Join a Falco workshop

  10. Demo Environment Details K8S cluster running on an EC2 node

    (with IMDSv1). • Vulnerable Spring Boot Application • Falco as a daemon set on k8s cluster • Falco Sidekick • Falco Sidekick UI • Falco Cloudtrail plugin • Falco AWS Cloudtrail terraform module An attacker host to execute the infiltration and exploit of the attack. • Rootkit installed. • Other tools to escalate privileges and lateral movement.

  11. Demo time 11

  12. Is runtime security enough? What helps the attacker to execute

    the attack: • Vulnerable packages • Vulnerable binaries ◦ In Runtime • Privileged containers • Extensive Permissions • Misconfigurations 12 Vulnerability Management * CSPM / KSPM / CIEM * CNAPP * * - its all can be done by Sysdig CNAPP Platform

  13. CNAPP: SCARLETEEL - Sysdig demo lab Features and flows of

    the Lab: • Runtime Threat Detection and Response • Cloud Threat Detection (AWS account) • Vulnerability Management for K8s workloads • Security Posture ◦ CSPM: Cloud Security Posture Management ◦ CIEM: Cloud Identities and Entitlements Management 13