TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Better Together: Real Time Threat Detection for Kubernetes with Atomic Red Tests & Falco

BHIS · 2024-01-04 · Read original ↗

ATT&CK techniques detected

3 predictions
T1204.002Malicious File
85%
"sensitive file opened for reading by non - trusted program ' now, it ’ s time to simulate our threat : invoke - atomictest t1556. 003 # # t1036. 005 masquerading : match legitimate name or location this test scenario executes a process from a directory masquerading as the current…"
T1556.003Pluggable Authentication Modules
53%
"/ redcanaryco / atomic - red - team / blob / master / atomics / indexes / indexes - markdown / linux - index. md ). # # t1556. 003 modify authentication process in this scenario, atomic red generates three pluggable authentication modules ( pam ) : two malicious pam rules for lin…"
T1685.006Clear Linux or Mac System Logs
34%
"of system or user - initiated actions via system logs. the majority of native system logging is stored under the ‘ / var / log / ‘ directory. kubectl logs - f - - tail = 0 - n falco - c falco - l app. kubernetes. io / name = falco | grep ' log files were tampered ' now, it ’ s ti…"

Summary

| Nigel Douglas As a Developer Advocate working on Project Falco, Nigel Douglas plays a key role in driving education for the Open-Source Detection and Response (D&R) segment of cloud-native […]

The post Better Together: Real Time Threat Detection for Kubernetes with Atomic Red Tests & Falco appeared first on Black Hills Information Security, Inc..