Runtime security with Falco - Blog

Iron Flower, Mar 2020

Runtime security with Falco

-- Introduction

Lately I've been researching possibilities to detect anomalies during runtime in containers. I came across Sysdig’s open source project Falco which seems to do just that. Quoted from their site: "Falco, the open source cloud-native runtime security project, is the defacto Kubernetes threat detection engine. Falco detects unexpected application behavior and alerts on threats at runtime."

Sounds good..

-- How does it work?

Falco runs as a privileged container and uses eBFP to capture system calls. Events that match a certain filter expression (rule) result in an alert which can be outputted in different ways (for example as a push message to Slack). It comes pre-equipped with a lot of essential rules and has the possibility to be extended with custom rules.

Below is a simple example taken from Falco’s manual of a condition that alerts whenever a bash shell is run inside a container. != host and = bash
The first clause checks that the event happened in a container (Sysdig events have a container field that is equal to "host" if the event happened on a regular host). The second clause checks that the process name is bash. Note that this condition does not even include a clause with a system call! It only checks event metadata. Because of that, if a bash shell does start up in a container, Falco outputs events for every syscall that is performed by that shell.

Here is another example of a rule that triggers when an attacker manages to start netcat on a victim’s container.
- macro: network_tool_procs
  condition: ( in (network_tool_binaries))

- list: network_tool_binaries
  items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat]

- rule: Launch Suspicious Network Tool in Container
  desc: Detect network tools launched inside container
  condition: >
    spawned_process and container and network_tool_procs
  output: >
    Network tool launched in container ( command=%proc.cmdline parent_process=%proc.pname image=%container.image.repository:%container.image.tag)
  priority: NOTICE
  tags: [network, process, mitre_discovery, mitre_exfiltration]
Fun fact: the ‘condition’ field uses the Sysdig filter syntax.

To make things more clear, i've made a demo below which shows Falco in action.

-- Set-up Demo

My test set-up consists of two docker containers. One is Falco running as a privileged container and the second one is a vulnerable website built by DVWA running in a separate container. As can bee seen below, once I try to execute a command in the container through command injection in the website Falco matches the event with one of its rules and forwards the alert to Slack.

-- Further reads

I would strongly recommend to read Skyscanner's article about their experiences implementing Falco within their Kubernetes clusters.