SharkFest'24 EU

Falco, a CNCF project, is the de facto solution for runtime threat detection in Linux and Kubernetes environments. It offers complete kernel-level visibility by capturing Syscalls via eBPF, analyzing this flow with a powerful rules engine and alerting when a rule is triggered.
Over time, the Falco ecosystem has grown to include the ability to retrieve events from different sources, such as SaaS or Cloud provider audit logs, and to integrate with dozens of tools for notification, analysis and reaction. The last born in its ecosystem is Falco Talon, a tailor made no-code response engine, which react to the Falco events with out of the box actions, such as terminating a pod, or triggering a tcpdump.
In this talk, listeners will learn the basics of Falco, and will be treated to a real-time demonstration of remediation action against intrusions, with a big focus on the capacity to trigger a tcpdump, to observe what the attacker did following the raised alert.

As infrastructure managers, we often have to deal with malwares. Although we do our best to avoid or block them, some slip through the net anyway. Let's imagine that you or a member of your team got their hands on one of these malicious binaries. How can you find out what its purpose was? You can try to uncompile the binary or explore it in hexadecimal mode, two tried and tested but time-consuming methods. Let's try a new approach and analyze the malware's behavior by running it in an isolated environment and collecting all its syscalls using eBPF. The final step will be to explore the captures with Logray, a project forked from Wireshark, especially made to analyze syscall packets captures.