How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! by Marat Salakhutdinov @Sysdig

Slide 1

Slide 1 text

How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! Marat Salakhutdinov Senior Customer Solutions Engineer at Sysdig

Slide 2

Slide 2 text

Marat Salakhutdinov Senior Customer Solutions Engineer @Sysdig linkedin: https://www.linkedin.com/in/salakhutdinov/ email: marat@sysdig.com

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Sysdig 2023 Global Cloud Threat Report 1. Cloud Automation Weaponized 2. 10 Minutes to Pain - every second counts 3. A 90% Safe Supply Chain Isn’t Safe Enough 4. Attackers are Hiding Among the Clouds 5. 65% of Cloud Attacks Target Telcos and FinTech

Slide 5

Slide 5 text

SCARLETEEL attack 5

Slide 6

Slide 6 text

“The Security Camera for Modern Apps” created by Sysdig

Slide 7

Slide 7 text

What is Falco? ● Runtime security engine ● Observability for: ○ Endpoints ○ Cloud infrastructure ● Built on eBPF ● Integrated with Kubernetes CNCF INCUBATED PROJECT

Slide 8

Slide 8 text

Beyond system calls and containers Plugins are dynamic shared libraries which allow Falco to collect and extract fields from streams of events

Slide 9

Slide 9 text

Resources Get started at Falco.org Check out the Falco project in Github Get involved in the Falco community Meet the maintainers on the Falco Slack Follow @falco_org on Join a Falco workshop

Slide 10

Slide 10 text

Demo Environment Details K8S cluster running on an EC2 node (with IMDSv1). • Vulnerable Spring Boot Application • Falco as a daemon set on k8s cluster • Falco Sidekick • Falco Sidekick UI • Falco Cloudtrail plugin • Falco AWS Cloudtrail terraform module An attacker host to execute the infiltration and exploit of the attack. • Rootkit installed. • Other tools to escalate privileges and lateral movement.

Slide 11

Slide 11 text

Demo time 11

Slide 12

Slide 12 text

Is runtime security enough? What helps the attacker to execute the attack: ● Vulnerable packages ● Vulnerable binaries ○ In Runtime ● Privileged containers ● Extensive Permissions ● Misconfigurations 12 Vulnerability Management * CSPM / KSPM / CIEM * CNAPP * * - its all can be done by Sysdig CNAPP Platform

Slide 13

Slide 13 text

CNAPP: SCARLETEEL - Sysdig demo lab Features and flows of the Lab: ● Runtime Threat Detection and Response ● Cloud Threat Detection (AWS account) ● Vulnerability Management for K8s workloads ● Security Posture ○ CSPM: Cloud Security Posture Management ○ CIEM: Cloud Identities and Entitlements Management 13