Fileless Attack - Detecting the Undetectable

The presentation discusses the use of Falco, Tracy, and eBPF for detecting and preventing malicious activities in Kubernetes mode.

• Falco is a tool that uses rules and filters to detect malicious activities in Kubernetes mode
• Tracy is another tool that uses eBPF to filter events and detect security issues
• The presentation provides a demo of how these tools can be used to detect malicious activities
• The speaker emphasizes the difficulty of creating effective security rules and filters
• The speaker thanks the projects for sharing their knowledge and providing default security rules

The speaker shares their experience of working in cybersecurity and the challenges of detecting and preventing malicious activities. They highlight the importance of being aware of the various ways in which threat actors can bypass security rules and filters. The speaker also expresses gratitude towards the projects for providing default security rules and sharing their knowledge.

A fileless attack is a technique that takes incremental steps toward gaining control of your environment while remaining undetected. In a fileless attack, the malware is directly loaded into memory and executed, evading common defenses and static scanning. Often, attackers may also use compression or encryption to cloak the malware file to avoid detection. Most commonly used against Windows, we have recently seen a growing trend in its use against Linux, and, more specifically, within containers. In this guide, we will break down a fileless attack by creating a fileless demo and detecting unexpected activity with eBPF tools in the Cloud Native Security Runtime Space: Falco, Tracee, and Tetragon.