SharkFest'24 US

An API-Driven approach to automating packet captures in cloud-native systems
06-19, 17:00–18:00 (America/New_York), Great Falls

In Kubernetes, the management and analysis of network traffic is complicated by the transient nature of containers and the complex architecture of Kubernetes elements such as pods, deployments, and services. Traditional tools like Wireshark, while robust, often fail to effectively navigate these intricacies, capturing excessive and irrelevant data that we call "noise."

In this presentation, we will explore how Falco, a cloud-native detection engine, integrated with Falco Talon, a specialised response engine designed for the open-source Falco community, can streamline this process.

We'll show how this open-source proof-of-concept enables the automatic initiation of tshark captures directly in response to security alerts triggered by Falco in environments like containers and Kubernetes, which typically do not support interactive GUIs.

Step-by-Step Workflow:

  1. Detection: Falco, designed specifically for cloud-native environments like Kubernetes, monitors the environment for suspicious activity and potential threats. It is finely tuned to understand Kubernetes' context, making it adept at spotting Indicators of Compromise (IoCs).
    Let’s say, for example, it triggers a detection for specific anomalous network traffic to a C2 server or botnet endpoints.

  2. Automating tshark: Upon detection of an IoC, Falco sends a webhook to the Falco Talon backend.
    Talon has many no-code response actions, but one of these actions allows users to trigger arbitrary scripts.
    This trigger can be context-aware from the metadata associated with the Falco alert, allowing for a tshark command to be automatically initiated with metadata context specific to the incident.

  3. Contextual Packet Capturing: Finally, a PCAP file is generated for a few seconds with tailored context.
    In the case of a suspicious TCP traffic alert from Falco, we can filter tshark command for just TCP activity.
    In the case of a botnet endpoint detection, let’s track all traffic filtered specifically to/from that botnet endpoint.
    Falco Talon in each of these scenarios initiates a tshark capture tailored to the exact network context of the alert.
    This means capturing traffic only from the relevant pod, container, or process implicated in active security incidents.

  4. Improved Analysis: Finally, the captured data is then immediately available for deeper analysis, providing security teams with the precise information needed to respond effectively to the incident. This is valuable for Digital Forensics & Incident Response (DFIR) efforts, but also in maintaining regulatory compliance by logging context specific to security incidents in production.

Nigel Douglas plays a key role in driving education for the detection and response segment for cloud and container security at Sysdig. He spends his time drafting articles, blogs, and taking the stage to help bring awareness to how security needs to change in the cloud.

Prior to his current role at Sysdig, he held similar engineering roles at security vendors such as Tigera, Malwarebytes and Solarwinds.

He has recently completed a Master of Science in Cybersecurity, Privacy, and Trust at South East Technological University in Ireland.