Bypassing Falco: Cluster Compromise without Tripping the SOC

Presented at CanSecWest 2022, May 19, 2022, 1:15 p.m. (60 minutes)

The explosive growth in the usage of Kubernetes container clusters has left security professionals scrambling to find and deploy innovative tools to address the inherent security risks. One such tool is The Falco Project, originally created by Sysdig. It's an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and Cloud. If a rule is violated, Falco will send an alert notifying of the violation and its severity. In this talk I will present my research on various techniques to silently bypass the default Falco ruleset (based on pre-latest v0.30.0). I will demonstrate nine different classes of bypasses, seven of which are novel and have never been presented. I will also introduce the special container image and multiple code snippets built specifically for Falco bypasses. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To wrap up, I will apply the bypass techniques on the example of the GKE Kubernetes cluster and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC. This research was presented to Falco team in July and a partial sequence of fixes has made it into v0.31.0. The material for the talk is kept in a private github repo and will be made available to the public before the talk.

Presenters:

• Shay Berkovitch - Blackberry
  Shay is a Security Researcher at BlackBerry working with the Security Research Group on various aspects of container security. He worked previously at Blue Coat Systems and Symantec on WAF, SWG and other network security solutions. Shay holds a Masters’ degree from UW with (somewhat unexpected) thesis in runtime verification and has delivered several talks in academic and industrial security conferences. During the last year, his focus has been on the exciting and dynamic field of container run-time security, and particularly on Falco, Linux security controls, eBPF, XDR and vulnerability management in the context of cloud-native workloads.

Links:

• https://cansecwest2022.sched.com/event/zt54/bypassing-falco-cluster-compromise-without-tripping-the-soc

Similar Presentations:

• BSidesLV 2023 / Comprehensive Guide to Runtime Security
• BalCCon2k22 - Loading (2022) / Kubernetes Security - Challenge and Opportunity
• ToorCon San Diego 20 (2018) / Hacking and Hardening Kubernetes