Calico Cloud currently includes following detectors focused on the execution and privilege-escalation stages of cyberattacks and intrusions.
Privilege-Escalation:
- Linux-Administrative-Command: A pod was detected executing Linux administrative commands using super-user privileges.
- Set-Linux-Capabilities: A pod was detected executing commands on the system to modify a file, user, or group capabilities
Execution:
- Attack Tools: A pod was detected executing a known attack tool on the pod. For example, nmap, nping, ndiff, masscan, amass…etc
- Cryptomining Pool Hostname: A pod was detected executing curl or wget to a crypto-mining pool, an indication that the pod may be used to mine cryptocurrency.
- Curl or wget to Suspicious TLD: A pod was detected executing curl or wget to a suspicious Top Level Domain (TLD). Attackers may use CLI tools such as CURL or WGET to communicate with attack infrastructure, or download malicious payloads.
- DNS Attack Tool: A pod was detected executing a known DNS attack tool on the pod
- System Enumeration Tool: A pod was detected executing a known third-party system enumeration tool
Enable on all nodes
kubectl get ds runtime-reporter -n calico-system -o yaml | sed '/enable-tigera-runtime-security/d' | kubectl apply -f -Enable on specific nodes
To enable container threat detection on a particular node, add the enable-tigera-runtime-security: t label to that node. For example:
kubectl label nodes <node-name> enable-tigera-runtime-security=tcheck running pods
Make sure that runtime-reporters pod is runing
kubectl get pods -n tigera-runtime-security
change aggregation period
The default configuration of the runtime-reporter has an Aggregation period of 15 minutes [period: 15m].
In order to expedite testing you may like to significantly reduce this to 15 seconds
kubectl -n calico-system edit daemonset.apps/runtime-reporterChange the period: 15m to period: 15s
Note: optionally you can remove 'AnyProcessInSamePodPrefix' as well to get the pod name in the alert but You'd also get a lot of reports and alerts as a result.
deploy a testing pod
kubectl run multitool --image=wbitt/network-multitoolExamples to test
kubectl exec -it multitool -- bashLinux-Administrative-Command
adduser joseph
su -
add user joseph
chown joseph file.txtSet-Linux-Capabilities
touch file.txt
setcap cap_net_raw+ep file.txtAttack Tools
nmap -Pn -r -p 1-900 $POD_IPMitigate the risk of exploitation using security policy
Once you get the alert and are sure this is not a legitimate activity, you may need to quarantine this pod using Calico security policy.
A best practice is to always have quarantine policy preconfigured in each cluster
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: security.quarantine
spec:
tier: security
order: 100
selector: quarantine == "true"
ingress:
- action: Log
- action: Deny
egress:
- action: Log
- action: Deny
types:
- Ingress
- EgressSo you can easily quarantine the malicious workload by adding the label “quarantine=true", here is an example:
kubectl label pod maliciouspod quarantine=true