11-06, 17:15–18:15 (Europe/Vienna), Ballroom A+B+C
As infrastructure managers, we often have to deal with malwares. Although we do our best to avoid or block them, some slip through the net anyway. Let's imagine that you or a member of your team got their hands on one of these malicious binaries. How can you find out what its purpose was? You can try to uncompile the binary or explore it in hexadecimal mode, two tried and tested but time-consuming methods. Let's try a new approach and analyze the malware's behavior by running it in an isolated environment and collecting all its syscalls using eBPF. The final step will be to explore the captures with Logray, a project forked from Wireshark, especially made to analyze syscall packets captures.
Thomas is Senior Developer Advocate at Sysdig, the company which created and open-sourced Falco, the Security Runtime Engine for Kubernetes and Cloud-Native technologies. Thomas worked for Qonto, a modern banking for SMEs and freelancers, where he managed their Kubernetes clusters and the enthusiastic tools around, like ArgoCD, Traefik, Prometheus. He also assisted for many years pure-players and e-business companies for a large managed service provider, as an AWS expert and FinOps. He's one of the longest tenured members of the Falco community, and creator of Falcosidekick and Falcosidekick-UI, two major components of the Falco ecosystem.