logo

Bypassing Falco: How to Compromise a Cluster without Tripping the SOC

2022-05-18

Authors:   Shay Berkovich


Summary

The presentation discusses how to bypass the default Falco ruleset and compromise a cluster without tripping the SOC.
  • Container security can be divided into four areas: cluster security, pre-deployment, post-deployment, and host security.
  • Falco is a runtime detection tool built on top of kernel modules or eBPF sensors.
  • The presentation highlights various techniques to bypass the default Falco ruleset, including syntactical comparison, regex bypass, and sensitive mount bypass.
  • The presenter introduces a special container image and code snippets built specifically for Falco bypasses.
  • The presentation demonstrates how an attacker can achieve full cluster compromise without tripping the SOC using the techniques discussed.
  • The presenter uses a demo setup with the GKE cluster and the securekubernetes cluster to illustrate the attack scenarios.
The presenter demonstrates how an attacker can use the 'sensitive mount bypass' technique to mount var or varan and use subdirectory path to refer to the docker. This allows the attacker to bypass the 'launch container with sensitive mount' rule and gain access to the shell response rule without triggering the mounting rule.

Abstract

The explosive growth of Kubernetes has left security professionals scrambling to deploy innovative tools to address the inherent security risks. One such tool is The Falco Project - an incubating CNCF tool for detecting malicious activity at run time. Falco, like many security tools, has some gaps. This talk highlights these gaps by introducing various techniques to silently bypass the default Falco ruleset (based on Falco v0.30.0 release). The attendees will learn 9 different classes of bypasses, 7 of which are novel and have never been presented. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To aid with the bypass automation, Shay will introduce a special container image and multiple code snippets built specifically for Falco bypasses. To wrap up, we will apply the bypass techniques on securekubernetes cluster (presented on KubeCon NA 2019) and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC.Click here to view captioning/translation in the MeetingPlay platform!

Materials: