►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Hello,
everyone
Welcome
to
Cloud
native,
live
where
we
dive
into
the
code
behind
Cloud
native
I'm,
Annie,
talbasto
and
I'm
cncf,
Ambassador
and
I
will
be
your
host
tonight.
So
every
week
we
bring
a
newsletter
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
They
will
build
things,
they
will
break
things
and
they
will
answer
all
of
your
questions,
so
you
can
join
us
every
Wednesday
to
watch
live
this
week.
A
We
have
a
really
great
session
by
Nigel
here
with
us
to
talk
about
detecting
crypto,
jacking
and
kubernetes
workloads,
and
as
always,
this
is
an
official
live
stream
of
the
CNC
app
and
as
such,
it
is
subject
to
the
CNC
of
code
of
conduct.
So
please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct.
Please,
basically,
please
be
respectful
of
all
of
your
fellow
participants
as
well
as
presenters,
but
with
that
done
I'll
hand
it
over
to
Nigel
to
kick
off
today's
presentation.
B
Cool
and
just
to
confirm
you
can
see
everything.
That's
on
screen,
there's
no
issues
there
with
the
screen.
B
A
B
Thank
you
for
everyone
who
joined
today's
session.
What
we're
going
to
do
is
we're
going
to
work
with
alcoves
a
we've
got
a
simple
two
node
kubernetes
cluster
right
now
and
both
those
are
ec2
instances
running
on
yeah
AWS.
So
with
this,
it's
not
a
complex
environment.
You
can
see.
We
have
a
networking
plugin,
we
have
Falco.
We
also
have
a
Falco
sidekick,
which
you
see
on
the
right
side,
pane,
which
is
a
you
know
for
the
purpose
of
the
demonstration.
B
It's
a
visual
UI
to
demonstrate
the
alerts
that
are
coming
through
in
real
time.
So
with
that
I'm
going
to
kick
off
what
we're
going
to
try
to
do
today,
which
is
detecting
crypto
mining
in
kubernetes,
now
we're
doing
that
with
a
tool
called
Falco
for
those
who
aren't
familiar
with
Falco,
it's
a
runtime
forensics
tool
and
it
can
show
you
intrusion,
detection,
any
kind
of
unusual
sign
of
security
compromise
in
real
time
now.
B
How
we're
doing
that
in
today's
session
is
we're
going
to
achieve
that
via
free
system
calls
that
are
already
happening
in
Linux.
So
that
applies
to
both
containers,
because
they're,
Linux
and
and
to
the
host,
which
are
all
Ubuntu
instances
in
the
case
of
my
cluster,
so
with
that
I'm
just
going
to
cover
first
of
all
what
is
happening
here.
So
you
know
historically,
what
someone
would
have
done
is,
they
would
have
you
know,
pulled
you
know,
say
from
a
GitHub
repo.
B
They
pulled
the
the
download
package
associated
with
exam
rig,
which
is
a
mining
binary
and
for
crypto
mining
with
that
they
would
have
on
this
same
Linux
host.
They
would
want
to
unpackage
it
once
they've
unpackaged.
The
the
folder
they'd
want
a
CD
to
that
directory,
which
is
the
XM
rig,
whatever
it
is
and
from
there
they
can
then
initiate
crypto
jacking.
Now
this
whole
process
is
pretty
straightforward.
You
know
I
can
you
can
see
here?
B
This
is
one
single
command
and
this
is
going
to
perform
the
crypto
jacking
or
the
crypto
mining
I
should
say
on
the
host,
which
I'm
using
the
executable,
dot,
X
or
dot
forward.
Slash
xmrig,
in
that
case,
I'm
pointing
to
a
mining
pool
now
for
the
context
of
this
demonstration,
all
kind
of
crypto
miners
in
order
to
share
resources
or
pool
resources,
they
connect
to
different
mining,
pool,
IPS
or
domains
and
Associated
ports.
B
In
this
case,
it's
the
domain
is
XMR
Us,
East,
one
location
of
nanopool.org
and
the
domain
is
14433
now
in
order
to
authorize
or
authenticate
to
a
wallet.
You
know
you
can
see.
You've
got
this
hash
value
here
and
also
just
for
the
purpose
of
my
command
I'm,
silently
using
it
using
the
background
command
now,
once
I
run
that
I'm
crypto
mining.
So
it's
that
simple.
If
you
want
to
see
what
it
looks
like,
you
can
say,
dot
xmrig-
and
this
is
what
crypto
mining
looks
like
in
in
reality.
B
Now
that's
pretty
straightforward.
You
can
see,
there's
no
errors,
so
I'm
able
to
connect
to
that
exam
rig,
whatever
location
and
the
port.
So
I
want
to
close
that
process
out
for
the
second
and
I
want
to
explain.
Well,
where
is
it
becoming
such
a
problem?
Now
so
for
these
environments?
So
we
can
CD
out
of
that
directory.
We
can
remove
the
directory
I'm
even
going
to
go
ahead
and
remove
the
zip
package
that
we
just
pulled
now.
The
thing
about
crypto
mining
is
it's
so
much
more
than
just
a
host.
B
That
should
be
fine.
That
should
be
gone
a
bit.
So
with
that
yeah
you
can
run
your
crypto
Miner
in
this
case,
as
a
Docker
container,
you
can
run
as
a
pod
in
kubernetes.
B
B
The
reward
isn't
really
good
for
individuals,
so
you
know
utilizing
someone
else's
resources
compromising
that
environment,
especially
the
scale
of
kubernetes
or
the
scale
of
an
ec2
instance
in
AWS.
You
know
it's
a
broad
Target
there
and
we
can
take
advantage
of
that.
So
to
show
how
simple
it
is,
or
even
easier,
it
is
to
do
crypto
mining
as
a
Docker
image.
You
can
see.
B
I
just
run
this
single
command
and
that's
it
so
I'm
saying
sudo
run
as
the
administrative
user
I'm
using
the
docker
run
command,
but
I'm
using
dash
dash
RM
so
essentially
remove
it
after
I
run
this
interactive
command
and
the
image
in
this
case
is
metal.
3D
XM
rig.
So
it's
the
director
of
the
folder,
where
it's
hosted
is
now
3D,
but
the
the
binary
in
this
case
is
XM
rig.
So
if
I
hit
enter,
you
know
same
thing
again,
you
can
run
the
crypto
Miner.
B
I
might
just
give
that
oh
yeah
and
you
see
in
this
case
the
connection
failed.
So
I
want
it
to
any.
You
know:
authorization
I
didn't
even
generate
the
wallet
associated
with
it.
It
didn't
authorize
the
connection,
so
we
can
just
close
that
and
that's
the
end
of
the
crypto
mining
is
Docker
now,
with
the
fact
that
you
can
run
it
in
different
environments,
it
means
well,
first
of
all,
how
are
we
going
to
detect
it?
That's
the
whole
point
of
today's
session,
so
you
can
see
on
this
right
side
pane.
B
If
I
refresh
the
URL,
you
can
see.
I
got
a
bunch
of
detections,
I,
actually
forgot
to
turn
off
the
reef
or
enable
the
refresh.
So
at
this
moment
it's
going
to
update
every
10
seconds
so
I
have
a
bunch
of
rules
I've
configured
in
Falco
to
check
the
indicators,
the
compromise
associated
with
crypto
mining.
Now,
the
first
one,
that's
pretty
obvious-
is
to
detect
outbound
connections
to
Common
minor
tools.
So
if
I
said,
Cube
CTL
get
CM
config
map
in
the
namespace,
oh
yeah,
it's
going
to
be
called
Falco.
B
It's
named
the
config
map
and
it's
in
the
namespace
Falco
now
oh
yeah,
that
shows
those
there.
So
if
I
want
to
edit
it
I
can
just
show
you
quickly
what
the
rule
looks
like.
So,
if
I
run
Portage
and
I
just
want
to
look
for,
let's
say
minor
or
pool
I
think
is
the
best
way.
So
you
can
see
here
what
Falco
can
do
is
we
can
figure
a
list?
So
list
is
just
like
a
list
of
things.
B
B
If
you
want
to
do
it
that
way,
you
know,
there's
no
limitation
to
how
you
define
the
different
attributes
that
are
going
to
find
your
real
now
I,
don't
know
if
I
have
to
find
it
below
or
I'm
going
to
do
it
above
I
think
it's
just
above
it,
so
we'll
just
scroll
up
a
little
higher,
so
yeah
you
can
create
a
macro
that
defines
what
is
the
conditions.
The
list
is
just
a
list
of
objects
and
then
we
can
create
a
rule,
something
like
this,
where
you
say,
create
hard
link
over
sensitive
files.
B
So
if
I
wanted
to
say
forward,
slash,
let's
say
common
I
guess:
yeah
there's
the
name
of
our
rule,
so
it's
detective
and
connections
to
Common
minor
bull
ports.
So
in
this
case
we
would
say,
there's
a
rule
name.
The
description
is,
what
is
it
going
to
do
for
us
and
then
the
condition
is
defining
those
macros
and
lists,
so
they
have
a
macro
called
netminer
pool
and
the
conditions
of
the
netminer
pool
is
saying
it
has
to
have
these
domains
and
it
has
these
ports
if
I
Define.
B
That
condition
we've
already
proven
that
we
can
detect
unusual
network
connection.
Now
this
second
one
here
we
see
the
on
the
right
side,
pane
I
have
this
minor
binary
detected.
This
is
not
actually
in
the
Falco
rule.
So
if
you
want
to
actually
see
falca
rules
today,
you
can
go
into
the
Falco
repository.
You
can
go
to
the
rules
View
and
from
here
you
can
click
on
Falco
rules.
B
Here
you
then
see
all
the
default
rules
that
exist
like
the
one
we
talked
about
there
a
second
ago
like
Google,
you
would
see
all
of
the
list
of
items
that
are
in
it,
but
there's
no
default
rules
similar
to
this,
where
we
see
minor
binary
detected.
So,
in
that
case,
what
I've
done
is
I've
actually
created
my
own
custom
rule
just
before
this
session,
where
you
can
say
maybe,
if
I
type
in
binary,
you
can
see
yeah
detected.
B
All
I'm
saying
in
this
case
is
I,
wanted
to
take
malicious
scripts
or
binaries
detected
in
a
Potter
host
again,
because
it's
all
based
on
system
calls
I
can
see
it
happen
in
the
container.
I
can
see
it
happen
on
the
host.
I
can
see
it
happening
kubernetes
because
we're
relying
on
this
exact
cve
system
call.
Now,
as
for
what
the
output
is,
that's
essentially
what's
going
to
show
up
in
the
the
you
know
the
alert
context.
So
what
you
see
as
an
administrator
or
an
SRE
is
the
output
of
the
earlier.
B
So
you
can
put
whatever
context
is
relevant
in
my
case.
I
want
to
see,
for
instance,
user
ID
I
want
to
see
you
know
what
was
the
node
that
it
happened
on
all
of
this
relevant
supporting
context,
even
container
name
so
I
understand
where
the
incident
occurred
when
it
occurred
so
like
timestamp,
so
I
can
then
take
further
action
on
it.
Now.
What
defines
this
minor
binary
detected?
I
basically
said
you
can
see
at
the
bottom
here
list
malicious
binaries,
so
I
made
a
very
small
list.
It's
only
like
six
I
think
defined
binaries.
B
You
can
modify
this
whatever
way
you
want,
but
I
said
if
I
see
an
example
of
XM
rig
or
Nano
Miner,
pawn
rig
or
astrominer
whatever
the
miner
is.
You
can
constantly
play
around
with
this.
However,
you
want
you
define
in
the
list.
You
can
build
a
macro
which
says
in
malicious
binary,
so
I
say
if
the
process
name
contains
any
of
these
listed
items,
that's
how
our
macro
is
defined
and
then,
when
I
create
the
rule,
I
can
say
you
know
spawn
process
and
it
was
listed
as
the
macro
in
malicious
binary.
B
B
So
yeah
with
that
I
said
you
know
we
can
run
it
locally,
crypto
mining
with
XM
rig.
We
could
do
it
as
a
darker
image
that
we
saw
there
a
second
ago
where
we
just
run
Docker
run,
and
it's
super
simple
to
do
this
and
you
can
see
the
XM
rig
that
was
run
there
would
have
triggered
under
the
minor
binary
detection.
B
Now
things
like
the
first
thing,
I
think
is
important
to
know
is
how
can
we
prevent
this
from
happening?
So
there's
different,
you
know
initial
access
issues,
so
the
first
one
is,
if
you
have
a
part
and
it's
given
elevator
permissions,
let's
say
I
run
LS
I
have
the
first
part
here.
We're
looking
at
is
called
security
context
yaml
in
this
case
in
the
Pod
definition
file.
You
can
say
security
context,
and
this
is
like
what
kind
of
permissions
we're
going
to
give
them.
B
So
we
run
user
2000
as
the
permission
set,
but
also
there's
this
allow
privilege
escalation.
That's
disabled,
because
I
guess,
as
a
you
know,
as
an
admin
I
don't
really
want.
You
know
the
Pod
escalate
permissions
from
there.
The
alternative,
because
you
can
say
true,
is
if
I
was
to
cut
the
privileged
part.
You
can
see
this
one
has
security
context
set
to
privilege
through
immediately
so
essentially
root
permissions.
B
B
We
can
see
then
it'll
open
up
the
session.
Now
you
know
refreshing
the
URL.
This
in
itself
will
trigger
an
alert
so
I
terminal
shelled
into
a
container.
You
know
unless
you
have
a
justifiable
reason.
Why
are
end
users
shelling
into
the
pods
like,
preferably
we
don't
want
to
drift
from
the
original
design
that
we
deploy
in
our
environment.
So
yeah
again
you
there's
legitimate
reasons
you
might
shell
in
for
troubleshooting
purposes.
That
would
be
the
only
real
reason,
but
for
an
adversary
they
would
do
it,
for
you
know
other
reasons.
B
So
in
that
case
we've
shelled
into
the
Pod.
You
know
if
I
was
to
you
know,
go
inside
the
part.
It
works
the
same
way
as
any
other
Linux
host.
You
can
run
psrux
and
you
can
see
what
are
the
commands
and
what
permissions
are
set
inside
the
environment.
So
if
we
try
to
do
what
we
did
earlier,
where
it's
to
manually
install
the
crypto
Miner
in
a
non-privileged
part,
it
would
say
something,
like
this
permission,
denied
I'm
unable
to
install
the
crypto
Miner
in
this
environment.
B
So
with
that
as
the
attacker
I'm
kind
of
in
a
bit
of
trouble
here
now,
if
I
was
to
say,
could
CTL
delete
Dash
after
I,
don't
know
what
it
was
called
security
context
set
to
and
create
the
other
part
which
is
Cubo,
apply,
Dash
F
privileged.
So
if
I
would
create
the
privilege
part,
you
know
same
logic
applies
here.
The
part
is
now
creative.
You
can
say
Cube
CTL
get
pods
to
see.
You
know
the
pods
are
running.
B
B
As
you
know,
the
standard
user
I'm
running
as
a
root
so
now
that
I'm
running
as
a
root
I
can
do
you
know
the
same
command
except
this
time
it
will
work
which
is
to
you
know,
curl
I'm,
pulling
the
package
I'm
going
to
do
exactly
what
I
did
on
the
the
main
ec2
instance,
which
is
you
know,
unzip
the
package
which
gives
me
the
same
directory.
I
can
see
the
exam
rig
to
that
directory
and
once
I'm
in
there
you
can
see
the
files,
which
is
the
conflict
files,
the
exam
break
binary.
B
So
if
I
want
to
do
crypto
mining
within
that
environment,
it's
quite
easy
to
well
actually
I
can
even
you
know,
Elevate
permissions
on
a
pod,
so
say
something
like
chmod.
If
I
want
to
set
group
user
ID
or
set
get
bit
sorry
on
the
on
this
executable,
if
I
was
to
refresh
the
URL
again,
you
can
see
these
different
behaviors,
so
things
like
running
chmod,
any
CH
Master
Drift
from
changes
from
the
original
design.
You
know
that
will
be
flagged
as
changes
in
a
file
directory
on
a
container
the
same
way.
B
It
would
be
on
kubernetes
host,
but
all
these
other
unusual
behaviors
like
if
you
looked
at
this
holistically
on
the
right
side
of
pane,
there's
someone's,
launched
a
privileged
container,
then
they've
terminal
shelled
into
that
container.
If
it
was
a
real
crypto
Dragon
incident,
they
would
probably
just
take
an
existing
part
exactly
to
the
part
if
it
had
the
privilege
set
to
true
and
do
the
damage
from
there.
B
But
in
the
case
of
like
trying
to
do
further
escalation
with
environment
yeah,
they
would
want
to
create
that
privilege
part
if
there's
not
just
you
know
nothing
in
place
to
prevent
them
from
creating
that,
and
if
there
was
no
visibility.
If
there
was
no
Falco,
you
wouldn't
know
that
some
creative
privileged
part
they
were
jumping
into
it,
making
all
the
file
changes.
You
know
they
call
the
part
some
legitimate
name,
not
like
my
one.
You
know
they
might
yeah,
they
might
call
it
like
redis
database,
something
in
those
lines.
B
So
you
want
to
be
able
to
see
examples
of
just
unusual
patterns
and
behaviors
like
setting
escalated
permissions
on
the
part.
So,
in
this
case,
what
when
they
run
the
crypto
mining,
which
is
basically
Dart
forward,
slash
XM
rig?
You
know
it
works
the
same
as
it
did
in
any
other
environment.
If
I
was
to
refresh
the
URL,
we
should
see
the
binary
detected
where
we
use
the
use
of
XM
rig
immediately.
It
tells
us
you
know
the
command
we
just
ran,
so
it
gives
us
all
that
additional
context.
B
Of
course
yeah
it's
my
unfortunately,
the
screen
is
quite
funny,
so.
A
B
So
if
I
was
to
exit
up
this
container
and
we'd
said
Cube
CTL
delete
F
the
privilege
pod,
you
know
that
has
solved
our
problem
for
now,
but
it's
that,
knowing
what
is
the
dangerous
part
like
No,
One's
Gonna
call
their
pod
privilege
part
well,
in
this
case
the
name
was
actually
test
part
one
which
is
like
again
a
bit
sketchy
from
a
visibility
perspective.
So
what
we
want
to
do
is
maybe
look
at
that
example
again
something
about
creating
the
privilege
part
there's
a
few
things.
B
You'd
notice
here
is
like
if
I
was
to
yeah,
create
a
new
privilege,
part
there's
something
from
scratch.
Now,
like
people
might
or
sorry
advertise
might
yeah
hit
enter
cool,
so
we
created
that
a
new
same
definition
file
actually
we're
creating
a
brand
new
part.
Every
time
we
do
something
like
this
destroy
a
pod,
create
a
new
one
notice.
B
How
like
delete
or
rename
shell
history
like
you've,
just
deleted
all
the
associated
data,
so
even
like
leaving
a
trailer
behind
the
attacker
every
time
they
delete
the
Pod
they
created
five
minutes
ago,
so
that
they
don't
get
detected.
We
get
the
detection,
we
see
all
of
those
events,
so
we
stream
them
to
to
sister
or
through
Falco
sorry.
So
in
this
case
we
would
see,
delete
or
rename
a
shell
history,
so
they
they
don't
hide
and
detection.
B
So
in
this
case,
if
they
wanted
to
shell
into
that
same
pod,
which
is
the
test
part
one
they
might
want
to
before,
they
do
the
actual
connecting
to
the
minor
ports
so
on.
They
might
want
to
put
in
some
kind
of
suspicious
networking
too,
to
actually
perform
those
actions,
so
one
that
they
might
want
to
use
is
something
like
telnet
or
nmap
or
whatever
you
can
Define
these
tools
yourself.
Now,
in
my
case,
I
tried
installing
telnet.
B
It
told
me
look
like
you
can't,
because
some
issue
with
mirror
list
now,
if
I
was
to
try
and
bypass
that
so
I
moved
into
the
you
know,
repo
directory
and
again
even
this
example
of.
Why
is
the
attacker?
Why
would
anyone
in
our
employee,
in
our
company
shell,
into
a
pod,
start
using
the
Yom
package
manager
to
download
things
they
might
be
trying
to
download
a
tool
that
they
need
to
use?
But
again
we
should
treat
those
as
kind
of
suspicious
behaviors
like.
B
Why
are
you
bringing
something,
an
insecure
tool
like
telnet
into
your
environment,
so
this
whole
like
making
changes
on
a
part,
then
trying
to
run,
for
instance,
Yom
again
they
would
be
able
to
do
it,
but
we
want
to
be
able
to
trigger
those
detections.
So
we,
you
know
we
can
refresh
our
URL.
We
can
see
like
launch
package
management
process
in
a
container
again
unusual
thing
or
even
just
the
process
of
updating
the
package
matches.
B
So
when
I
ran
Yom
update,
Dash
Why,
that
in
itself
is
suspicious,
it's
there's,
obviously
a
spew
of
things
happening
from
the
package
manager.
So
we
see
all
those
different
alerts
coming
through
so
again,
it's
just
how
you
want
to
Define
these
guardrails,
so
that
I
mean,
of
course,
detecting
the
connections
going
out
to
the
IP
port
or
domain.
B
That's
all
great!
It's
already
happened.
They've
already
compromised
your
environment,
they're
already
wasting
your
resources,
so
what
we
want
to
do
is
be
able
to
assigns
a
compromise
before
they
happen.
So
in
this
case,
if
I
wanted
to
install
telnet
or
any
of
these
other
networking
tools,
you
would
just
run
yum
install
telnet
on
our
side.
If
we
were
to
refresh
this
URL,
it's
just
because
I
don't
have
the
automatic
refresh
and
you
see
their
launch
package
management.
B
Sorry,
there
should
be
I,
think
they're
suspicious
tools.
If
I
look
up
suspicious.
A
B
There
it
is
so
launching
I,
actually
this
one
from
earlier
sorry
I'm
still
waiting
on
it,
but
earlier
I
did
the
same
thing:
I
installed
telnet
in
on
the
container
and
yeah
it
launched
it.
Can
it
effectively
created
the
alert
telling
us
that
a
suspicious
Network
tool
was
created
in
Guitar?
So
what
we
want
to
do
is
again
look
at
things
like
you
know,
shelling
terminal,
shell
into
the
Container.
Any
file
changes.
You
know
moving
to
the
temp
directory
to
to
evade
detection,
deleting
historical
changes
they
made
did
deleting
shell
history.
B
These
are
all
things
that
an
adversary
would
want
to
do
to
evade
detection
so
that
you
can't
as
a
incident
or
something
forensics
team,
see
what's
going
on,
but
because
we
are
streaming
all
the
events
somewhere
else.
So
even
if
the
container
is
killed,
we
still
see
what
happened
within
that
environment.
So
in
that
case,
even
if
I
was
to
exit
and
say
Coupe
TTL
delete,
F,
the
privileged
part
and
the
Pod
is
gone.
B
Now
the
other
thing
that's
worth
pointing
out
is
creating
a
crypto
Miner
as
a
kubernetes
deployment.
So
if
I
was
to
say
LS,
you
can
see
the
minor
deployment.
So
if
I
take
cat
Miner
deployment,
you
know
it's
really
straightforward.
So
you
can.
You
know,
as
an
example,
create
a
deployment
definition
file.
You
can
call
it
minor
again.
If
you
don't
want
detection,
you
probably
call
it
something
different,
a
minor.
You
would
call
it
legitimate
database
and
then
you
would
put
it
in
the
namespace
of
you
know:
database
name
namespace.
B
So
in
this
case,
what
we're
trying
to
clarify
is
whether
you
create
it
via.
You
know
your
W
gas,
you
pull
it
and
you
re
run
chmod
to
turn
into
an
executable
or,
if
you
create
it
via
deployment,
we
will
still
spot
that
image
where
it's
pointing
to
again
XM
rig
or
to
any
of
the
other
minor
definition
that
we
put
in
that
list
item
earlier,
which
is
really
important.
So
in
this
case,
if
I
want
to
say,
qctl,
apply
and
create
that
part,
we
can
now
one
other
thing.
A
There
was
actually
a
audience
question
right
now
from
Oliver.
Would
the
hacker
not
be
able
to
knock
out
the
Falco
container
running
in
the
same
pod
they're?
Assuming
that
that's
how
Falco
does
it
since
it
needs
to
be
able
to
monitor,
process
names
and
so
forth?.
B
Yeah
absolutely
like
that.
That
would
be
one
of
the
things
that
they
would
try
to
do
important
to
say
there
is
like
you
know
when
you
create
there's
still
the
deployment
file
like
if
you
set
the
what's
the
term
where
you
only
administrative
privileges,
to
make
those
changes
in
the
first
place.
You
know
only
you
know,
an
elevated
user
would
be
able
to
make
the
changes
on
it.
So,
even
if
they
try
Okay
killing
the
Pod
it'll
still
get
recreated
as
part
of
the
deployment.
That
is
true.
B
That
is
one
of
the
things
that
they
would
try
to
do.
But
of
course
the
part
is
going
to
keep
recreating
so
they'll
only
be
like
short
outages,
I
guess
and
it'll
make
it
nearly
impossible
for
the
attacker
to
continue
that
cycle
of
trying
to
evade
detection
as
long
as
the
events
are
still
being
streamed.
But
it
is
a
good
question.
A
B
Cool,
so
one
thing
I
would
say
there
as
well
is
oh
yeah.
We
talked
about
this
config
map
for
Falco
in
the
name,
space
Falco
is
not
every
oh
yeah
I
should
edit,
not
every
rule
is
going
to
be
enabled
by
the
default
and
there's
good
reason
for
that.
So
when
we
talk
about
the
default
rules,
I
think
there
was
the
set
good
bit
yeah.
So
I
have
a
rule
here
and
if
I
hit
enter,
you
can
see
it
where
it's
set
uid
second
bit
true.
B
In
order
for
that
to
work,
I
did,
of
course,
change
the
enabled
to
True
from
its
default
setting,
which
was
false.
Now
it's
really
important
to
clarify
here
that
there
are
some
really
interesting
rules.
There's
I
think
there's
an
example
here
for
C2
servers.
Yeah
so
like
you
can
create
a
rule,
as
you
can
see
here,
with
hex
outbound
connections
for
tc2
Server,
although
it's
I
believe
yeah,
it's
enabled
by
default.
B
When
you
look
at
what
is
the
definition,
which
is
the
list,
the
C2
server
IP
list,
we
can
actually
then
look
that
up.
So
it's
C2
underscore
server
IP
list
and
you
can
see
that
the
item
is
actually
set
in
blank
because
you
know
at
the
end
of
the
day
it's
for
the
end
user
to
decide.
You
know
what
is
it
I'm
trying
to
block
like?
If
you
wanted
to
say
we
don't
want
outbound
connections
to
a
service
like
tour,
because,
again
an
adversary
might
use
tour
to
keep
the
connections.
B
You
know
where
they
keep
a
bit
of
anonymity.
When
it
comes
to
speaking
outbound
from
the
environment,
they
don't
want
to
be
you
to
track
where
those
connections
are
going.
So
what
you
could
do
is
create
an
item
list
of
all
of
the
IPS
associated
with
the
Torah
Network
that
doesn't
change.
Often
so
again,
it's
not
something
that
you
need
to
be
updating
manually
regularly.
So
you
could
certainly
put
that
in
the
form
of
a
list
or
create
your
own
new
list
and
call
it
something
like
tour
relay
it's
something
I've
tested
before.
B
B
B
The
other
way
of
looking
at
this
is,
if
you
have
the
different
plugins
from
the
different
sources,
it's
very
easy
to
use
Falco
sidekick
to
filter
through
to
understand.
Okay.
Where
is
the
the
big
issue
coming
from
so,
for
instance,
we
have
our
different
sources
right
now,
I'm
only
using
system
calls
so
plug-in
sources
include
kubernetes
audit
logs.
So
if
you
want
to
see,
for
instance,
events
for
when
a
deployment
is
created,
a
config
map
created
or
deployment
deleted
or
config
not
deleted,
for
instance,
you
would
certainly
get
those
events.
B
You
could
have
a
plugin
for
GitHub
or
OCTA.
So
again,
you're
now
going
from
or
yeah
AWS
for
cloudtrail,
so
being
able
to
say
here
are
my
identity
provider
like
OCTA,
here's,
my
supply
chain
and
former
GitHub,
and
here's
my
cloud
provider
in
the
case
of
AWS
being
able
to
stream
all
those
vents
handle
them
through
the
flexible
plugin
architecture?
It's
important
to
then
say
I
can
send
it
all
to
centralized
view
again.
B
I
can
forward
it
then
over
to
automation
tools
for
deciding
what
to
actually
do
with
those
events
or
ship
it
off
to,
for
instance,
a
notification
tool
like
slack,
but
also
from
the
search
I,
can
just
search
for
an
arbitrary
string.
So
we've
been
continuously
talking
about
XM
rigs,
so
if
I
were
to
type
in
XM
rig,
even
though
the
two
doesn't
inherently
know
what
our
exam
rig
is.
It's
just
looking
at
string
matches
in
the
case
of
things
like
the
minor
binary.
B
That's
detected
in
the
case
of
writing
below
the
root
directory
or
again
escalating
permissions.
Any
of
this
we
will
see
that
happen
throughout,
not
just
in
the
case
of
the
minor
binary,
for
instance,
like
a
pod
could
be
called
anything
and
it
could
talk
to
these
outbound
connections
at
the
minor
pools
and
ports.
But
in
our
case,
if
we
scroll
across,
we
know
it's
happening
for
the
yeah,
it
was
the
command
that
was
actually
written
in
this
case
was
XM
rig,
which
makes
sense,
because
that
was
the
utility
we
just
ran.
B
So
in
that
case,
whatever
the
context
is
with
like
again
the
command,
it
could
be
the
part
name.
You
would
get
kubernetes
context
so
like
if
you,
if
the
Pod
or
I
don't
know
whatever
the
context
is.
If
you
see
that
match
string
context,
it
will
show
up
in
the
the
rules
of
our
context.
B
Building
your
own
rules
is
really
easy.
There's
a
few
different
ways.
So
the
first
way
is
we
can
actually
just
go
into
the
config
map,
like
you
would
done
here.
You
can
click
in
I
and
you
can
just
paste
in
the
rule
list
macro.
Whatever,
as
long
as
they
match,
you
can
then
close
it
and
then
you
know,
kill
the
Pod
and
recreate
and
you
get
the
changes.
The
alternative
approach
is
if
I
was
to
go
to
I.
B
Believe
I
have
it
here:
oh
yeah
I'll
just
put
it
on
screen
so
I'll
quit.
So
if
you
were
to
go
to
CD
forward,
slash
Etc
forward,
slash
Falco,
is
there
a
Falco
yeah,
there
should
be
a
oh
yeah,
I
might
have
to
create
it.
There
should
be
a
rules.d
directory
in
the
Falco
folder
and
from
there.
B
I,
don't
know
why
I
couldn't
move
to
that
directory,
but
that's
okay.
Basically,
you
should
be
able
to
modify
the
existing
like
custom
rules
file
and
from
there
you
can
put
in
your
own
files
and
then
Falco
will
updated
to
respect
those
new
rules
that
you've
created,
which
is
a
really
nice
thing
to
be
able
to
do.
I
think
it
should
actually
yeah.
You
can
do
it
via
Helm
as
well.
B
So
you
could
say:
Helm
install
Falco,
Dash
F,
specify
the
yaml
file
and
then
say
whatever
the
repo
was,
which
is
Falco
security,
Force
Falco
regarding
creating
the
environment
that
we,
you
know
looked
at
today,
you
know
I've
put
it
all
into
a
GitHub
repo,
what's
also
important
to
know
as
well
and
I
think
we
might
have
put
it
in
the
chat
in
case.
B
We
can
confirm
that,
but
we
have
like
we've
created,
like
Falco
blogs
on
these
topics,
so
again
crypto
mining
through
GitHub
actions,
or
if
you
wanted
to
our
official
blog,
you
can
see
the
examples
for
like
crypto
mining
detection
using
Falco.
We
go
through
all
of
this
in
depth
so
that,
if
you
want
to
create
the
same
rules,
if
you
want
to
understand
how
the
rules
are
built,
what
is
the
logic
behind
it,
but,
most
importantly,
how
it
shows
like
we
showed
in
the
demonstration
today
the
real-time
alerting.
B
You
know
that
that's
the
ideal
outcome
is
that
you
can
go
in
here
test
out
Falco,
since
we're
talking
about
system
calls
whether
it's
an
iot
device
again,
whether
it's
an
ec2
instance
running
in
Cloud.
It
really
there's
no
limitation,
anything
Linux
related.
It's
going
to
be
perfect
on
and
that's
really
exciting,
because
it
means
that
as
you're
testing,
these
other
tools,
you
can
use
Falco
for
intrusion,
detection,
again
a
bunch
of
different
operating
systems
of
sports.
B
So
you
know
whether
it's
Ubuntu
in
my
case
or
if
it's
sentos
or
whatever
I
have
pods
I
was
creating
earlier
that
were
sent
to
us.
It
should
work
the
same
in
each
of
those
cases,
so
yeah
just
to
wrap
up
I
guess
we
just
had
a
few
slides
on
this
topic
and
I
can
just
share
on
slideshow
and
again.
B
If
anyone
has
any
questions,
you
know
feel
free
to
ask,
but
the
main
thing
is
that,
like
Falco
could
be
used
as
a
network
intrusion
and
I'll
actually
put
on
a
bit
of
light
in
this
room,
it
got
very
dark,
very
quick,
so
yeah
you
can
like
detect
outbound
connections
to
those
IPS
domains
ports,
so
it
can
be
used
as
a
network
intrusion
detection
too,
also
for
looking
at
Ingress
or
egress
traffic
again
from
suspicious
IPS
or
from
whatever
you
can
Define
what
is
even
from
logins
or
some
other
activity.
You
could
say
some.
B
Your
login
change
was
made
from
a
user
from
this
approved
IP,
and
that
way,
anything
that
isn't
the
approved
IP,
you
can
say,
is
not
equal
to
and
therefore
see
the
unusual
activity.
But
in
the
case
of
crypto
mining,
it's
pretty
consistent.
The
only
exception
to
when
you
wouldn't
get
this
detection
is
if,
for
instance,
they
hit
the
the
mining
server
behind
a
CDN
service
like
cloudflare
that
way
and
again
in
the
Tesla
incident.
They
did
something
like
that,
so
their
IDs
tool
didn't
actually
pick
up
on
the
connections
that
was
made
to
those
IPS.
B
That's
why
it's
important
to
look
at
all
of
the
indicators
compromise,
not
solely
connections
made
to
IPS.
So
one
thing
we
said
is
a
clear
guard.
Rail
for
organizations
was
to
set
this.
Allow
privilege
privileged
escalation
to
false
I
mean
there
are
so
much
more
than
you
can
do
to
that.
Like
even
use
Opa
like
a
gatekeeper,
do
you
know
what
to
Define?
What
can
and
can't
be
admitted?
Do
you
know
admission
control
in
the
environment?
That's
an
important
tool
as
well
to.
B
But
also
things
like
your
network
policy
enforcement,
so
you
could
use
a
Calico
or
psyllium
or
your
service
mesh
to
Define
what
connections
you
allow,
so
you
can
ultimately
prevent
the
connections
going
into
those
mining
pools,
but
that
only
stops
the
you
know.
The
connections
for
the
minor,
the
miners
still
using
up
your
resources-
so
you
know
good
place
to
start-
is
to
look
at
privilege
escalation,
because
when
we
look
at
it
in
the
context
of
the
miter
table,
you
can
see
yes.
B
Privileged
container
is
a
technique
in
the
tactic,
privilege
escalation,
but
where
else
can
they
move
to
so
things
like
node
to
Cluster
escalation,
control,
plane
to
Cloud
escalation,
compromise
submission
control,
there's
so
many
other
things
they
can
move
to,
and
that
also
justifies
more
use
case
for
why
it's
good
to
use
the
plugable
system
of
plugins
or
hither
flexible,
plug-in
architecture
or
Falco,
so
that
you
can
see
okay
someone's
escalated
to
Cloud.
These
are
the
changes
made
in
the
cloud
environment,
so
they've
escaped
an
easy
to
instance,.
A
B
Yeah,
you
can
go
whatever
way.
You
want
to
approach
this
I
think
when
you're
talking
about
when
to
bring
it
into
my
cloud
native
ecosystem,
I
think
a
good
place
to
start
is
when
we
talked
about
the
documentation,
we
have
I'm
pretty
certain.
We
have
a
quick
start
guide
on
this,
so
if
I
was
to
look
up
a
quick
start,
the
reason
I'm
pointing
towards
the
quick
start
guide,
I,
don't
know
getting
started,
it
must
be,
and
then
you
can
say
running
yeah,
so
that's
cool,
so
there's
different
ways.
B
You
can
go
about
it.
Obviously
you
can
just
install
in
your
environment.
There's
the
Falco
binary.
You
can
install
it
as
a
Docker
container
and
then
we
also
have
like
Helen
charts
and
so
on
for
installing
it,
but
I
think
we
also
have
the
example
for
mini
Cube.
You
know
if
you,
if
you
have
a
little
test,
lab
and
you're
running
it
in
your.
You
know
your
home,
lab
environment
or
running
it
on
your
desktop
and
you,
you
know,
you're
not
ready
to
test
out
Falco
and
all
its
capabilities
like
in
your
production
environment.
B
This
is
a
great
place
to
start
you
can
just
you
know
you
would
get
the
tool
mini
Cube,
it's
just
a
little
utility
and
from
that
you
just
run
minicube
star
to
specify
the
virtualbox
driver
and
from
here
it's
like
a
few
simple
commands
to
say:
look:
here's
a
Helm
repo
command,
so
I'm
pulling
from
that
Helm
chart
I'm,
updating
it.
Naturally,
installing
Falco,
it's
like
three
commands
once
it's
installed,
yeah
you'd
say
you
know
logs,
which
is
is
this
is
just
using
purely
Falco.
By
the
way.
B
This
way
we
can
say
here's
the
log
output
to
prove
that
it's
working
and
you
know
you
can
start
modifying
rules
accordingly.
In
our
case,
we
went
a
little
bit
further
because
we
use
extra
utility
called
Falco
sidekick.
We
also
have
this
documented
as
well,
and
that's
for
streaming
events
out,
but
also
just
streaming
them
to
this
graphical
UI,
which
I'm
currently
accessing
it
via
port
forwarding,
which
has
been
running
for
throughout
the
whole
session,
but
yeah.
If
you're
talking
about
a
place
to
get
started,
I
think
mini
Coop's.
A
B
That's
a
good
point
so
right
now,
Falco
is
yeah
dick.
You
can
see
it
on
their
landing
page,
it's
purely
about
taking
all
those
different
sources
and
then
being
able
to
inspect,
what's
happening.
Rules
of
course,
make
it
easier
to
see
what
the
unusual
activity
is
and
when
we
create
some
curated
rules
for
you
and
when
I
say
sum
quite
a
lot
so
that
you
know
you
already
have
them
in
your
hand,
but
you're
right
in
saying
it
does
not
automatically
take
action
to
you
know
to
do
something
we
could
kind
of.
B
We
could
use
Cisco
or
sorry
Falco
sidekick
to
hook
to
send
webhook
to
the
you
know
your
third
party
tool
that
can
do
that
automation
process,
but
that
is
not
handled
within
Falco.
So
in
here
it's
purely
think
of
it
like
a
security
camera,
it's
if
it's
always
on
it'll.
He
sees
what's
happening.
A
A
B
Awesome
no
problem,
so
I
might
just
go
into
those
last
slides
just
to
make
sure
you
know
we
have
as
much
information
into
your
hands
as
possible.
So
you
know
we
talked
about
detecting
privilege
escalation
if
you
can
avoid
creating
overly
permissive
Parts
same
logical
as
the
cloud
environments
where
we
talk
about
overly
permissive
I
am
policies
the
user
policy
of
what
they
can
and
can't
do
think
of
the
same
logic
to
pods.
B
You
know
it's
easy
to
create
a
privileged
pod
for
testing
purposes,
but
it's
not
good
in
the
case
of
security,
posture
you're,
just
putting
too
much
control
into
an
adversary's
hands
if
they
get
access
to
your
environment.
The
other
thing
is:
we
talked
about
the
custom
Rule,
and
maybe
this
was
confusing
to
some
people
earlier.
What
I
showed
here
was.
This
is
a
rule
that
is
not
in
the
default
rules
list
I
created
it
purely
for
the
case
of
crypto
jacking.
B
To
show
how
easy
it
is
to
you
know
in
five
to
ten
minutes,
you
can
create
your
own
rule
to
you
know,
detect
crypto
mining,
so
in
my
case,
I
wanted
to
have
something
that
would
say
this
exact
cve
system
call,
which
is
basically
we've
seen
it
throughout
the
demonstrations
if,
in
a
part
in
a
host
kubernetes,
you
know
on
a
container
if
this
exact
command
is
run.
So
if
we
see
here
we're
looking
for
any
process
name,
that's
listed
in
the
Shell
binaries,
the
shell
binaries,
it
was
already
there.
Actually
this
list
already
pre-existed.
B
Those
are
defined
as
our
process
types
that
we're
looking
for,
but
in
regards
to
the
macros
or
the
list.
Sorry,
we
created
this
list
ourselves,
so
that
was
where
we
mostly,
we
just
talked
the
XM
rig.
But
if
you
had
like
XM
rig
I,
I
or
xm1r
or
whatever
it
is
nanominer
any
minor,
you
could
even
have
wild
hired
Miner.
If
you
want
to
do
it
like
that,
so
any
kind
of
you
know
Miner
that
you
can
think
of
put
it
into
a
list.
B
Lists
are
limited
to
strings
in
this
case,
like
like
the
name
of
a
binder
I.
Think
of
it
in
the
sense
that
it
can
be
an
IP
address.
It
could
be
a
hash
value,
a
sha,
so
you
could
say
here
is
the
known
bad
hashes,
Associated
malware
Chuck
those
hashes
into
a
list,
and
you
can
use
the
same
logic
to
say
if
a
process
triggered-
and
it
has
this
hash
value
that
we've
seen
in
the
system
calls
yeah.
We
can
detect
and
prevent
that
as
well.
B
So
in
this
case,
it's
really
easy
for
us
to
say:
I've
defined
a
macro,
that's
saying
if
the
process
name
is
in
the
malicious
binaries
list,
the
list
is
the
list
of
items
and
then
the
in
malicious
binaries
are
specified
here.
So
if
it's
a
spawn
process,
basically
it's
like
exact
cve,
which
was
the
event
type
that
was
run.
If
it
was
listed,
then
in
that
macro
which
entails
the
list,
then
we
would
trigger
an
alert
that
says
something:
generic,
like
malicious
binary
script
was
executed
in
a
part
or
host.
B
We
don't
know
at
this
point,
but
in
the
command
output,
which
will
tell
us
either
it
was
on
a
host,
but
it
will
be
a
host
and
a
part
if
it's
part
running
on
a
host.
So
that's
a
really
cool
one,
but
ultimately
you
can
tag
it
whatever
way.
I
tagged
it
for
crypto
mining,
because
that
was
the
whole
point
of
today's
demonstration
was
that
you
can
then
filter
as
well
for
tags.
You
know
you
could
tag
it
based
on
its
miter
attack,
tactic
or
technique.
B
You
could
tag
it
based
on
the
type
environment
that
it's
triggered
in
that
kind
of
thing,
but
ultimately
the
source
is
based
purely
on
system
calls.
So
we
can
go
really
deep,
there's
really
very
little
limitation
to
what
you
can
and
can't
see.
We
talked
about
networking
connections,
file,
update
changes,
permission
changes
all
of
that
and
then
the
final
piece
I
just
want
to
go
on
here
is
that
again
we
talked
about
the
default
Falco
logic
where
we
have.
B
You
know
certain
drivers
that
are
in
place,
so
we
we
monitor
those
system,
events
that
are
coming
from
the
kernel
we
have.
You
know
our
default
Falco
implementation
and
then
we
also
have
an
ebbf
driver
as
well
and
again,
that's
probably
better
for
another
session.
If
that's
something
people
are
interested
in,
but
then
we
can
monitor
the
kubernetes
audit
logs.
So
again
we
have
a
plugin
for
that
you've,
probably
seen
in
my
event,
output
that
we
can
correlate
again.
The
container
output
via
system
call,
but
also
use
kubernetes
order,
log
to
see
okay.
B
A
B
From
it,
we
enrich
that
data
and
then,
finally,
when
we
talk
about
that
standard
API
that
we
provide,
it
means
that
we
can
use
our
same
existing
architecture
to
then
understand.
Okay.
What
is
that
the
logging
source
of
the
other
tool
like
SAS
platform,
whatever
it
be,
that
we're
trying
to
plug
into
and
ultimately
build
the
same,
consistent
rural
language?
As
long
as
when
we
go
back,
we
just
specify
our
source
from
Cisco.
We
could
change
it
to
K8
audit.
B
We
could
change
it
to
AWS
cloudtrail,
whatever
it
is
that
we're
trying
to
plug
into
and
which
is
really
cool
and
again,
if
you're,
a
developer
and
you're
really
interested
in
making
these
plugins
for
tool
that
you
provide.
There
is
no
reason
why
you
can't
contribute
to
the
community
in
that
sense,
so
with
that
I
hope
everyone
kind
of
found
value
out
of
today's
session.
We
have
like
a
developer's
guide
for
if
you're
interested
in
building
plugins
I've
listed
the
Falco
rules,
because
we've
rehoused
our
Falco
rules.
B
So
again
you
can
access
those,
even
if
you're
not
testing
it.
Today,
you
can
read
those
rules
today
and
understand
how
they're
built
and
what's
the
logic
behind
them,
from
a
kind
of
a
educational.
Further
learning
I've
provided
a
Blog
for
detecting
crypto
mining.
I
wrote
that
last
year,
so
it's
not
too
old
and
the
rules
to
apply
today
and
the
other
one
was,
if
you're
interested
in
exactly
seeing
how
crypto
jacking
Works
in
other
environments
I've
also
given
a
Blog
article
for
the
Falco
plugin
for
GitHub.
B
So
that
way
you
can
detect
Crypt
mining
on
a
Linux
host,
but
you
can
also
see
it
in
a
SAS
platform
like
GitHub,
which
is
really
cool
and
also,
if
you
want
to
follow
us,
you
know
we're
pretty
much
accessible
everywhere.
So
we
have
the
GitHub
repo
and
we've
linked
that
accordingly
and
where
you
can
follow
us
on
Twitter,
I'm,
pretty
sure,
there's
a
LinkedIn
page
as
well,
but
either
way
it's
the
same
name
and
I
also
put
my
own
GitHub
repo
for
today's
session.
B
So
if
you
want
any
of
the
commands,
I
ran
to
do
your
own
crypto
mining
on
and,
ultimately
just
to
not
have
the
Rules
running
and
detect
the
crypto
mining
in
your
environment
feel
free
to
use
it
it's
publicly
available.
So
with
that
yeah
I
think
we've
covered
everything.
I
just
want
to
make
sure
that
we've
got
time
for
any
more
questions.
If
anyone
has
any.
A
Yeah
there's
a
few
comments
so
far
and
oh,
a
question
came
in
immediately
perfect:
that's
good
I,
keep
the
questions
coming
in.
We
have
15
minutes
for
them,
so
no
worries.
A
For
starters,
there
was
a
attendee
commented
that
they've
found
the
sustig
Falco
101
as
a
great
resource
for
getting
started
on
Bacco
and
linked
to
that
one
that
was
really
nice,
and
then
we
have
Andrew
commenting
Alternatives
from
minicube.
Just
in
case
you
are
against
running
VM
on
your
local
machine
check
out
kubernetes
without
cubelet,
okay
w-o-k,
and
then
he
gives
the
links
for
that.
A
If
you
have
any
comments
on
that
happy
to
hear
that,
but
then
there
was
also
ashken
commenting
or
actually
asking
a
question
about.
Is
there
any
available
supports,
such
as
tools
or
references
that
can
make
creating
a
Falco
rule
simpler.
B
Is
there
any
references
to
make
creating
the
rules
easier?
There
should
be
so
when
we
talked
about
our
blog
or
documentation,
sorry
separately,
yeah.
Absolutely,
if
you
go
to
the
Falco
rule
section
and
we
look
at
like
the
basics
of
rules
and
how
they're
created
in
conditional
syntax.
You
know
this
is
a
great
starting
point,
like
probably
the
most
common
one,
that
everyone's
going
to
look
for
when
they
want
to
test
off.
B
Is
shell
into
container
so
understanding
like
what
are
the
event
types
that
we're
playing
with
like
specify
directory
container
ID
whatever
it
is,
they.
B
Like
the
examples
here
with
wildcard
so
on,
and
also
things
like
the
priority
like
this,
because
it
didn't
specify
the
source
it's
by
default,
looking
for
system
calls
just
like
we
did
today,
so
you
know
you
can
see
that
it
says
here's
the
rule.
It
goes
through
the
logic
of
the
conditional
set
and
it
should
have
the
definition
of
how
like
the
Outlook
works.
So
again,
what
is
the
alert
going
to
be
that
you
find?
B
But
this
is
a
really
great
starting
point,
I
think
for
going
through
understanding
the
con
syntax.
So
if
there's
ever
anything
that
you
see
in
a
rule
and
you're
just
curious,
you
know,
is
it
required?
You
know,
otherwise
it
won't
run
correctly,
but
also
you
want
to
say,
like
what
can
I
put
into
it.
You
get
a
better
idea
from
this
table,
so,
for
instance,
we
talked
about
Source.
It
doesn't
need
to
be
specified
if
you
don't,
it
will
always
use
system
call
actually,
typically,
your
system
calling
kubernetes
audit
depending
on
context.
B
But
ultimately,
if
you
want
to
use
what
earn
you
one
of
our
other
plugins,
you
would
then
need
to
specify
source
equals
that
plugin,
but
yeah,
even
the
logic
of
macros
how
they're
built?
How
all
of
this
ties
into
the
shelling
container
example.
I
think
this
is
the
the
best
place
to
get
started,
but
I
think
also.
We
have
a
well
that
cystic
provides
it.
It's
like
an
instruct
lab,
so
there's
I
think,
like
I,
think
someone
mentioned
earlier
about
the
101,
so
you
know
there's
an
instruct
lab.
B
So
that
means
the
whole
shell
is
hosted
somewhere
else
on
a
SAS
platform.
So
you
actually
just
start
the
you
know
the
session.
You
don't
have
to
put
any
login
credentials
or
anything,
and
you
start
you
know
running
some
arbitrary
commands
and
it
actually
shows
them
in
real
time.
So
that
might
be
a
another
alternative
cool
place
to
get
started.
A
B
Yeah,
this
is
a
good
question,
so,
in
the
case
of
like
you
approve
what
you
can
and
can't
put
into
your
environment.
That's
fine!
But
let's
say
if
it's
like
an
employee,
that's
logged
into
the
environment,
so
you
know
it's
an
admin
in
their
an
Insider
threat.
In
this
case
you
know
it's
fine
to
say:
we've
set
all
the
guardrails
of
what
can
come
into
the
environment,
but
there's
nothing
to
stop
the
employee.
B
Who
is
ultimately,
you
know
the
one
who
can
do
the
most
from
actually
running
the
mining,
binary
themselves
or,
let's
say
disabling
or
elevating
permissions,
to
actually
go
and
make
these
changes.
So
it's
important
to
set
guardrails
like,
for
instance,
defining
what
you
can
and
can
prevent
the
environment
just
like
what
we
talked
about
selling
those
privilege
set
to
you
know
false,
but
we
need
the
intrusion
detection
as
well
to
say:
If
an
employer,
an
employee.
B
If
a
user
Insider
environment
is
making
changes
that
they
shouldn't,
we
want
to
be
able
to
see
them,
even
if
they're
failing
like,
for
instance,
they
were
unable
to
elevate
permissions
due
to
a
fixed
rule.
You
want
to
say:
oh,
we
got
a
detection
of
someone
trying
to
do
something
suspicious
that
way.
We
can,
you
know
for
auditing
purposes.
You're
again,
you
want
to
be
compliant
with
your
regulatory
standard.
You
want
to
have
something
in
place
in
kubernetes
to
tell
you,
okay,
we
have
proof
auditing
proof
that
you
know
log
activity
is
there.
B
We
can
see
activity
on
usual
activity
in
the
environment
and
we've
alerted
on
it.
So
so
that's
one
of
the
main
reasons,
even
if
they're
not
able
to
do
something
if
they're
kind
of
aircraft
and
what
they're
able
to
do,
we
still
want
to
be
a
little
detect
unusual,
suspicious
user
Behavior.
A
B
No,
that's
a
really
good
point.
You
know
I
think
we
touched
on
that
a
little
bit
earlier
with
how
you
know
if,
if
it
is
behind
some
service,
like
that,
we'll
only
see
the
connection
to
the
CDN,
which
in
itself
is
not,
you
know
malicious.
So,
in
our
case,
what
we
want
to
do
is
tell
users
look
if
it's
the
network
connection
that
we
can't
really
rely
on.
B
We
want
to
be
looking
at
other
things
like
we
create
a
custom
rule
to
there
to
say
if
a
process
is
executed
and
it
even
has
the
string
listed
somewhere
to
do
with
eggs
and
rig
or
other
mining
binaries,
then
we
should
be
able
to
and
again
we
can
show
that
inside
the
UI
that
if
we
just
type
in
XM
rig
yeah,
we
get
all
that
relevant
context.
So
we
can
see
okay.
If
we
can't
see
Outback
connection,
we
know
a
minor
binary
was
detected.
B
Maybe
we
can
see
XM
rig
in
the
context
of
setting
permissions
on
it
or
even
just
a
folder.
You
can
say,
like
I've
seen,
XM
rig
associated
with
file
name
changes
or
something
in
those
lines.
So
it's
just
one
of
the
many
indicators
to
compromise
but
saying
that
is
probably
the
most
common
one.
People
cite
as
something
to
detect,
which
is
network
connections
so
yeah.
Definitely
it's
about
having
multiple
indicators
to
compromise
in
case
you're,
unable
to
detect
those
connections.
A
B
Yeah,
absolutely
so,
if
we're
going
back
to
the
the
documentation
we
had
yeah.
So
if
we
were
to
talk
about
like
install
or
getting
started,
it's
important
to
know
like
yeah,
even
actually
it's
covered
here
at
straight
so
like
you,
can
install
Falco
in
pretty
much
any
environment.
So
whether
it
be
you
know,
I,
don't
know
you're
running
on
Raspberry
Pi
or
like
an
iot
edge
device.
B
You
know.
Even
in
theory,
you
have
a
security
camera
in
front
of
your
house.
If
that
has
like
an
API,
that's
accessible
yeah,
you
could
have
Falco
running
on
that
iot
device.
You
could
create
a
plugin
for
that
other
API
and
you
could
essentially
stream
events
for
suspicious
activity
on
the
camera,
whether
it
turns
on
or
off
or
whatever
it'd
be
so
yeah.
It's
super
flexible
again
anything
Linux
based,
which
is
you
know,
it's
an
open
standard.
B
Yeah.
You
can
build
your
own.
You
know
you
can
run
it
on
all
those
different
operating
systems
so
whether
it
be
I'll
go
into
the
install
doc,
whether
it
be
like
Ubuntu,
sentos,
Debian.
Whatever
it
is,
we
usually
have
the
you
know
the
install
documentation
associated
with
it
and,
of
course,
in
the
case
of
kubernetes
and
k3s,
you
can
use
the
helm
charts.
So
it's
super
easy.
A
Great
and
then
final
question
from
me
so
also
kind
of
Final
Call
for
questions
from
anyone
else.
If
anyone's
typing
away
trying
to
get
the
question
in
now
is
the
time
to
finish
the
typing
and
send
it
in.
But
if
an
attacker
installs
the
mining
binary
on
the
Node
instead
of
the
container,
can
Falco
also
detect
this,
and
does
it
require
a
new
role.
B
No,
and
that
that's
a
you
know,
that's
the
point
here
is
like
with
these
system
calls.
You
know
if
we
were
to
go
back
into
the
UI
here.
When
we
looked
at
the
yeah.
Let's
say
the
condition
we're
looking
for
was
the
outbound
connection,
so
we
can
see
when
we
look
up
our
own
connection,
and
these
were
all
our
critical
alerts.
In
some
cases
we
run
it
as
a
Docker
IO.
Do
you
remember
when
we
ran
Docker
run?
In
some
cases?
We
ran
it
within
a
pod,
so
we
can
see
those.
B
You
know
the
alert
context.
What
was
associated
with
the
activity
that
played
out
was
different,
but
whether
it
was
on
the
Node,
whether
it
was
in
the
container
or
whether
it
was
run
again
as
a
part
deployment
or
you
know
in
kubernetes
or
if
it
was
run
as
a
Docker
run.
We
would
still
get
that
same
context
that
the
the
connection
was
made
to
the
IP,
irrespective
and
the
same
with
the
binaries.
B
B
In
the
same
way
it
was
in
another
command,
but
ultimately
the
more
context
you
put
into
the
output
you
want
then
naturally
you're
going
to
catch
it
either
way,
but
either
way
the
the
rule
is
going
to
be
triggered.
So
when
we
type
in
outbound
or
whatever
it
is
that
you're
looking
for
in
the
real
name
yeah
here,
you
will
see
the
same
for
containers
would
be
on
the
Node.
A
Great
I
don't
see
any
questions
anymore
here,
but
do
you
have
any
final
words
to
remind
anyone
of
any
resources
or
anything
that
they
should
be
doing
next
or
anything
else.
B
No
absolutely
I
think
just
to
clarify
and
I'll
double
check
it
there
was
we
have.
We
have
I
should
say
an
ebook
that
we
have
now
accessible
on
the
topic
here.
So
I
could
put
that
in
the
chat.
I
think
it's
a
really
useful
resource,
so
I'll
just
put
it
in
the
chat
there.
I
think
this
chat
is
no.
This
is
the
private
chat.
How
do
I
put
it?
Oh
yeah,
it's
on
the
right
side,
panel
and
I'll
share.
B
Can
share
it
to
the
public
challenge
so
yeah.
We
have
this
practical,
Cloud
native
security
book
on
Falco.
So
if
anyone
wants
to
learn
like
the
inside
out-
and
you
know,
you
want
to
implement
it
within
your
company-
definitely
a
great
place
to
go
it's
free
book,
you
know
you
don't
have
to
pay
for
it
or
anything.
B
The
other
is
that
we
released
a
project,
a
honeybee
and
again
for
those
who
are
already
you
know
experienced
with
Falco,
and
they
want
to
know
what
the
changes
are
recently
with
the
project,
and
we
also
have
that
documented.
So,
if
I
was
to
paste
that
as
well
in
the
chat,
you
can
share
that
with
the
group.
So
you
know
we
have
the
new
update
a
new
version,
update
of
Falco
and
we're
constantly
maintaining
the
project
where,
wherever
possible,
so
yeah,
those
would
be
two
really
useful
resources
for
anyone.
B
Who's
interested.
A
Perfect
perfect
ending
now
for
this
really
great
session,
in
my
opinion,
great
resources
for
everyone
to
check
out
afterwards,
so
awesome
but
yeah.
That's
it
for
today
and
thank
you,
everyone
for
joining
the
latest
episode
of
cloud
native
live.
It
was
great
to
have
a
session
about
detecting
crypto
jacking
in
community
workloads.