The Girl in the Red Cloak
Threat Validation
The forest presents strange things: unexpected movement, figures where none should be, sounds that don't belong. But not every anomaly is a threat. Still, yo...
The forest presents strange things: unexpected movement, figures where none should be, sounds that don't belong. But not every anomaly is a threat. Still, you can't risk ignoring them.
Set up alerts and monitoring to catch unusual activity, but always validate before escalating.
- CPU spikes,
- unexpected processes,
- strange network connections.
Prevent misuse of resources and possible attacks by preventing malicious activity at the kernel level. The word of the day is eBPF (extended Berkeley Packet Filter).
Example. Use Tetragon eBPF Security
Tetragon is an open-source eBPF-based security observability and runtime enforcement tool for Kubernetes. It can monitor system calls, network activity, and file operations in real-time, allowing you to detect and respond to suspicious behavior.
The following Tetragon policy blocks the execution of any binary located in the /tmp directory for pods labeled with app: dks. If a process attempts to execute a binary from this location, it will be terminated with a SIGKILL signal.
apiVersion: cilium.io/v1alpha1
kind: TracingPolicyNamespaced
metadata:
name: block-exec-from-tmp
spec:
podSelector:
matchLabels:
app: "dks"
kprobes:
- call: "security_bprm_check"
selectors:
- matchBinaries:
- operator: Prefix
values:
- "/tmp/"
matchActions:
- action: Sigkill
Exercise
- Set up Tetragon in a test Kubernetes cluster.
- Create a policy to monitor and log any attempts to access sensitive files.