logo
allArticlesConferencesPresentations

Bypassing Falco: How to Compromise a Cluster without Tripping the SOC

Conference:  KubeCon + CloudNativeCon Europe 2022

2022-05-18

Authors:   Shay Berkovich

Summary

The presentation discusses how to bypass the default Falco ruleset and compromise a cluster without tripping the SOC.
  • Container security can be divided into four areas: cluster security, pre-deployment, post-deployment, and host security.
  • Falco is a runtime detection tool built on top of kernel modules or eBPF sensors.
  • The presentation highlights various techniques to bypass the default Falco ruleset, including syntactical comparison, regex bypass, and sensitive mount bypass.
  • The presenter introduces a special container image and code snippets built specifically for Falco bypasses.
  • The presentation demonstrates how an attacker can achieve full cluster compromise without tripping the SOC using the techniques discussed.
  • The presenter uses a demo setup with the GKE cluster and the securekubernetes cluster to illustrate the attack scenarios.
The presenter demonstrates how an attacker can use the 'sensitive mount bypass' technique to mount var or varan and use subdirectory path to refer to the docker. This allows the attacker to bypass the 'launch container with sensitive mount' rule and gain access to the shell response rule without triggering the mounting rule.

Abstract

The explosive growth of Kubernetes has left security professionals scrambling to deploy innovative tools to address the inherent security risks. One such tool is The Falco Project - an incubating CNCF tool for detecting malicious activity at run time. Falco, like many security tools, has some gaps. This talk highlights these gaps by introducing various techniques to silently bypass the default Falco ruleset (based on Falco v0.30.0 release). The attendees will learn 9 different classes of bypasses, 7 of which are novel and have never been presented. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To aid with the bypass automation, Shay will introduce a special container image and multiple code snippets built specifically for Falco bypasses. To wrap up, we will apply the bypass techniques on securekubernetes cluster (presented on KubeCon NA 2019) and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC.Click here to view captioning/translation in the MeetingPlay platform!
Materials:
Slides
Tags:
Kubernetes
Security
Falco
CNCF
containers

Post a comment

Related work

You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication

Conference:  BlackHat USA 2020
Authors:
2020-08-06

PPLdump Is Dead. Long Live PPLdump!

Conference:  Black Hat Asia 2023
Authors: Gabriel Landau
2023-05-11

Dirty Bin Cache: A New Code Injection Poisoning Binary Translation Cache

Conference:  Black Hat Asia 2023
Authors: Koh Nakagawa
2023-05-12

Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration

Conference:  BlackHat EU 2020
Authors:
2020-12-10

Greetings from the '90s: Exploiting the Design of Industrial Controllers in Modern Settings

Conference:  BlackHat USA 2021
Authors:
2021-11-11

Vulnerability Exchange: One Domain Account For More Than Exchange Server RCE

Conference:  Defcon 29
Authors:
2021-08-01