►
From YouTube: Finding the Needles in a Haystack: Identifying Suspicious Behaviors... Jeremy Cowan & Wasiq Muhammad
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Finding the Needles in a Haystack: Identifying Suspicious Behaviors with eBPF - Jeremy Cowan & Wasiq Muhammad, Amazon Web Services
As the popularity of Kubernetes has grown, so has its appeal as a target. In an increasingly hostile environment, the ability to quickly flag suspicious behaviors and investigate and identify their source is becoming crucial. In this talk you will learn how AWS is using eBPF to identify a variety of security risks, e.g. communication with known command and control systems, Tor clients, cryptocurrency miners, and other malicious activity. You will also hear why AWS put eBPF above other options and the lessons they learned along the way.
A
A
And
today
we're
going
to
be
talking
to
you
about
finding
the
needles
in
Haystack
or
identifying
suspicious
behaviors,
with
evpf
and
I'd
like
to
start
by
first
looking
at
the
challenges
that
you're
likely
to
encounter
When
developing
a
solution
for
detecting
threats
in
runtime
events.
Now,
for
starters,
the
solution
should
be
lightweight
and
stable.
It
also
should
be
able
to
handle
a
high
volume
of
events,
and,
assuming
that
you
can
overcome
those
challenges,
you
then
need
to
separate
the
wheat
from
the
chaff.
A
So
there
are
various
approaches
to
this
problem.
We
could
have
tried
to
extend
the
linguist
kernel
and
the
advantage
there
is
that
you
have
enormous
flexibility.
However,
the
likelihood
that
your
change
is
going
to
be
accepted
Upstream
is
significantly,
as
is
significantly
small,
because
when
modifying
the
kernel,
your
changes
typically
have
to
be
broadly
applicable,
and
so
it's
unlikely
that
you
would
choose
to
extend
the
the
Linux
kernel
to
solve
this
type
of
problem.
A
You
could
also
try
deploying
a
sidecar
container,
and
this
is
good
because
you
have
a
separation
of
concerns.
You
don't
have
to
muddy
your
application
logic
with
security
code,
but
this
increases
overhead
and
it
can
be
circumvented.
So,
for
example,
if
you're
using
an
emission
controller
to
inject
a
sidecar
into
a
container,
that's
deployed
into
a
particular
particular
namespace
you
could
you
could
circumvent
that
by
deploying
a
pod
into
a
different
namespace,
for
instance,.
A
For
instance,
programs,
ebpf
programs
are
typically
considered
safe
to
run
because
they're
sandboxed
they
also
only
have
read-only
access
to
the
system
called
parameters.
They
can't
modify
the
parameters
of
the
of
the
syscalls
they're,
also
very
performant,
because
they
run
within
kernel
space
and
they
can
be
loaded
dynamically.
That
is,
they
don't
require
you
to
reboot.
A
The
system,
which
is
really
nice
and
ebpf,
has
really
evolved,
since
it
was
initially
introduced
in
the
Linux
kernel,
3.18
I
believe
it
was,
and
at
that
time
it
was
largely
designed
for
filtering
Network
traffic,
but
it
has
since
evolved,
and
new
capabilities
have
been
added
to
it.
To
now
where
you
can
deny
certain
syscalls
and
the
the
implementation
that
we're
probably
a
lot
of
us
are
probably
familiar
with
is
is
SEC
comp.
A
Okay,
so
let
me
spend
a
moment
here
to
explain
how
it
works.
So,
first,
the
the
operating
system,
loads,
your
evpf
program
or
the
byte
code
for
your
ebpf
program
verifies
that
it's
safe
to
run.
It's
typically
run
through
a
verifier
looking
for
things
like
infinite
loops
and
that
your
program,
exits,
gracefully
and
so
on.
A
The
program
is
then,
just
just
in
time
compiled
and
then
run,
and
typically
there
is
a
an
accompanying
user
space
application
that
is
used
to
load
the
ebpf
program
and
then
reads
the
output
or
enriches
the
output
with
additional
metadata
like
in
a
kubernetes
environment.
It's
it's
valuable
to
know
the
container
ID
or
the
Pod
name,
but
reading
that
output
from
ebbf
is
completely
optional.
You
don't
you
don't
have
to
do
that
and
I
feel
like
this
is
a
replica
of
Liz's
slide
from
this
morning.
A
This
basically
is
depicting
how
applications
in
user
space
communicate
with
with
the
kernel.
You
know
this
happens
when
you
have
an
application
that
has
to
access
an
area
of
memory
or
accessing
a
file
on
disk
it.
It
interfaces
through
interfaces
with
the
kernel
through
these
syscalls
and
ebpf
can
attach
itself
or
an
ebpf
program
can
attach
itself
to
these
to
these
syscalls,
and
that's
where
you
can.
You
can
get
additional
information
about
the
the
program
that
invoked
that
particular
syscall.
A
A
The
first
is
a
project
from
solo.
I
o
called
Bumblebee,
which
I'll
say
automatically
generates
boilerplate
code.
Based
on
your
answers
to
a
series
of
questions.
It
also
comes
with
the
CLI,
which
makes
loading
your
evpf
program
relatively
easy.
The
other
resource
is
a
book
that
appeared
on
Liz's
slide
this
morning.
Called
learning
evpf
I
managed
to
get
through,
like
the
first
half
dozen
chapters
very,
very
good
resource
on
ebpf,
especially
if
you're
getting
started
and
then
the
last
resource
that
I'll
mention
here
is
the
ebpf
summit.
A
And
similar
to
the
earlier
slide,
where
I
showed
you
the
advantages
and
disadvantages
of
different
approaches
to
threat
detection
I've
created
a
table
here,
showing
the
advantages
and
disadvantages
of
evpf.
We
know
from
earlier
that
it's
extremely
versatile
and
faster
to
write
and
deploy
than
say,
Linux
kernel
module
or
to
change
the
kernel
itself.
A
A
It
is
still
pretty
hard,
but
I'm
sure
that,
as
it
becomes
increasingly
popular
that
these
challenges
will
be
overcome
as
for
common
use,
cases
for
evpf
security,
of
course,
but
it's
also
found
in
a
lot
of
networking
applications
and
observability
tools
like
Hubble,
which
you
saw
a
few
pictures
of
during
the
keynote,
along
with
Pixie
and
lots
of
other
networking
and
observability
tools,
and
at
AWS
we
love
evpf.
We
have
several
groups
that
are
using
it.
It's
becoming
increasingly
popular
at
AWS.
A
Here
are
a
smattering
of
examples
of
how
AWS
is
making
use
of
ebpf.
Lambda
is
using
it
today
to
create
pools
of
geneve
network
tunnels,
and
this
allowed
us
to
reduce
the
VPC
function.
Code
start
from
150
milliseconds
to
150
microseconds,
a
pretty
significant
Improvement
and
then
VPC
is
actually
using
it
in
several
different
places.
They're
currently
using
it
to
observe
TCP
TCP
flow
level
performance.
A
A
And
then,
why
EBP,
why
ebpf
for
guard
Duty,
ebpf
elected
to
use
guard
Duty
elected
to
use
ebpf
for
threat
detection
for
a
variety
of
reasons?
First,
it
can
be
implemented
quickly,
as
I
mentioned.
There's
less
apprehension
about
installing
evpf
programs
than
there
is
about
kernel
modules,
because
they're,
because
evpf
programs
are
sandboxed
and
ebpf
programs
are
relatively
easy
to
install
and
update.
A
Finally,
ebpf
provides
Rich
information
about
kernel
events,
and
these
these
events
can
be
enriched
with
additional
information
like
container
ID
and
pod
name,
which
gives
gives
the
the
user
additional
context
to
help
identify
threats
to
their
environment
and
ebpf
can
be
used
to
provide
protection
at
runtime,
which
also
makes
it
very
appealing
for
threat
prevention,
which
you
might
talk
about
later
right,
yeah.
So
today,
car
duty
is
primarily
using
it
for
threat
detection,
but
the
appealing
thing
about
evpf
is
that
it
could
be
used
to
prevent
prevent
attacks
in
addition
to
detecting
them.
B
When,
when
you're
using
system
called
tracing
For
Thread
detection,
there
are
three
main
objectives:
number
one
you
need
to
capture
the
input.
Arguments
of
the
system
calls
so
that
you
could
figure
out
what
it
is
trying
to
do.
Number
two:
you
need
to
capture
the
details
of
the
actor
process
or
the
process
that
invoke
the
system
call
number
three.
You
may
also
need
to
capture
the
the
written
value
of
the
system
call,
so
you
could
figure
out
if
the
system
call
was
successful
or
it
returned.
An
error.
B
For
system
called
tracing
one
such
hook
point
is
system
called
enter
hook
or
system
call
enter
Trace
point
this
Trace
Point
triggers
as
soon
as
the
kernel
starts
processing
the
system
call
when
an
ebpf
probe
is
attached
to
this
Trace
point.
The
kernel
passes
all
the
input
arguments
of
the
system
call
to
the
abpf
probe.
The
ebpf
probe
can
also
get
the
details
of
the
actor
process
from
the
task
structure,
which
is
an
internal
kernel
structure.
B
B
B
In
order
to
get
the
return
value,
the
primary
option
is
to
hook
into
the
system,
called
exit,
Trace
point
or
hook
when
you
attach
a
probe
to
that
or
ebpf
probe.
To
that
the
kernel
passes
the
written
value
of
the
system
call
to
your
ebpf
probe.
You
can
collect
the
return
value
and
send
it
to
the
user
space.
B
B
B
Now,
your
ebpf
probe
in
this
case
has
to
read
the
path
name
from
from
this
user
space
address
and
some
point
later,
the
kernel
also
reads
the
same
path:
name
from
the
same
user
space
address.
You
can
notice
that
there
is
a
Time
window
between
the
time
when
the
ebpf
probe
reads
the
path
name
and
the
kernel
reads.
The
path
name
right
and
an
attacker
can
potentially
exploit
this
time
window.
B
B
When
you
hook
to
your
ebpf
probe
to
this
internal
kernel
function,
you
can
read
the
path
name
from
internal
kernel:
data
structures,
for
example.
The
file
is
struck
in
this
case.
This
is
not
vulnerable
to
race
conditions
or
time
of
check
time
of
use
exploitation,
because
a
user
space
attacker
cannot
manipulate
the
internal
kernel
function.
B
A
significant
percentage
of
our
customers
now
use
container
workloads
on
platforms
like
Amazon
eks
when
it
comes
to
threat
detection.
The
primary
demand
is
that
the
detections
should
contain
container
level
details.
In
other
words,
if
a
detection
originated
from
inside
a
container,
it
should
have
the
details
of
that
container.
Otherwise
that
detection
is
not
very
useful
or
actionable
for
them.
B
B
So
we
are
able
to
get
all
the
process
level
details
from
the
kernel,
such
as
the
PID
of
the
process,
executable
path.
We
are
also
even
able
to
get
the
container
ID
if,
if
a
process
happens
to
be
running
inside
a
container
from
the
kernel,
of
course,
there
is
some
information
which
is
not
available
inside
the
kernel.
We
have
to
get
it
from
the
user
space
so,
for
example,
container
image
name
image
digest.
We
have
to
get
it
from
the
user
space.
B
Now,
what
type
of
events
we
are
collecting
Linux
supports,
or
has
300
plus
system
calls
ebpf,
can
capture
all
those,
but
that
wouldn't
be
very
efficient.
So
what
we
do?
We
try
to
collect
all
the
relevant
system
call
events
which
are
valuable
in
terms
of
thread
detection,
some
of
the
main
ones
that
we
collect
include
process
creation,
execution
events.
B
B
Next
up,
we
also
collect
file
system
operations
such
as
file,
open
and
file
mounts
file
system
mounts.
These
events
allow
us
to
identify
suspicious
file
system
operations.
They
also
allow
us
to
track
file
system
activity
of
various
processes,
executables
pods
and
containers,
and
then
another
useful
category
is
network
connection
events.
B
B
B
B
B
B
B
We
then
also
Pass
events
to
our
estate
less
rules.
These
are
the
rules
which
are
which
use
a
single
event
in
isolation,
and
then
we
also
have
more
complex
stateful
rules
which
depend
on
more
than
one
events
and
in
future
we
also
plan
to
pass
these
events
to
machine
learning
in
order
to
profile
behavior
of
various
entities
in
customers,
environment
and
use
those
learnings
for
anomaly.
Detection.
B
So,
in
the
first
step,
when
the
attacker
downloads,
the
crypto
Miner
using
file
system
operations,
we
detect
that
a
new
file
has
been
downloaded
at
runtime,
which
is
kind
of
container
runtime
drift
right.
At
this
point,
we
don't
generate
any
detection.
We
just
maintain
or
store
these
States
state
that
this
is
a
new
file
which
has
been
downloaded
to
The
Container
at
runtime.
B
B
B
We
have
the
the
IP
address
of
that
mining
pool
as
a
known
IP,
address
or
known
mining
pool
IP
address
when
it
connects
to
that
IP
address.
Based
on
the
threat
intelligence,
we
are
able
to
generate
a
Direction,
so
these
are
the
types
of
detections
which
ebpf
allows
us
to
generate
the
main
difference.
The
the
main
point
here
is
that
that
we
are
able
to
provide
detailed
context
information
in
these
detections.
B
For
example,
this
is
for
the
new
binary
executed
file
finding
and
in
this
case,
binary
path,
which
is
the
path
of
the
new
binary
which
was
executed
and
the
process
that
created
the
binary
or
modified
the
binary.
We
are
able
to
provide
the
details
of
that
process,
yeah,
so
I'm
going
to
pass
to
Jeremy
to
wrap
up
the
presentation.
A
Ebpf
is
an
attractive
option
for
threat
detection,
because
it
can
capture
events
from
the
kernel,
and
the
data
can
also
be
enriched
to
provide
additional
context,
and
it's
really
good
for
threat
detection
applications
such
as
guard
Duty,
because
it's
lightweight
it's
portable
and
doesn't
require
changes
to
the
kernel,
and
when
it's
combined
with
the
power
of
the
cloud,
it
can
be
used
to
find
the
proverbial
needles
in
the
haystack
that
allow
you
to
focus
on
the
root
cause
of
a
security
incident
and
with
that
I
want
to.
Thank
you
for
coming
to
the
session.
A
B
B
A
B
Yeah,
that's
one
of
the
major
considerations
right.
The
volume
of
the
events
that
you
collect
on
Linux
workloads
is
pretty
significant.
The
size
of
individual
events
is
not
that
much
in
general,
it's
typically.
What
we
have
noticed
is
that
it's
around
1K
1K
bytes
per
event,
but
the
the
volume
of
events
is
pretty
high.
So,
and
this
is
the
reason
at
the
back
end,
we
have
to
use
certain
several
optimization
techniques
to
bring
down
the
cost.
B
B
B
So
we
are
working
to
offer
multiple
deployment
options.
One
of
the
primary
ones
again
would
be
using
Daemon
set
on
eks
right
and
we
are
trying
to
make
it
as
hands-free
as
possible
for
customers,
the
customers
that
choose
to
choose
to
do
it
right
and
then
there
will
be
other
options
as
well,
where
customers
will
be
able
to
integrate
the
agent
with
their
CID,
CD,
Pipeline
and
then
deploy
themselves.