Finding the Needles in a Haystack - Identifying Suspicious Behaviors with eBPF

Explore a comprehensive conference talk on leveraging Extended Berkeley Packet Filter (eBPF) to identify suspicious behaviors in Kubernetes environments. Delve into AWS's approach to detecting security risks such as communication with command and control systems, Tor clients, and cryptocurrency miners. Learn about the challenges in securing Kubernetes, various approaches to threat detection, and why AWS chose eBPF over other options. Gain insights into eBPF's functionality, advantages, and disadvantages, as well as common use cases. Discover how AWS implements eBPF in GuardDuty, including system call tracing techniques, rich container and process context collection, and on-host versus backend processing. Examine an example scenario of command injection exploitation and the resulting detections. Conclude with actionable insights for enhancing Kubernetes security using eBPF technology.

Intro
The challenges
Different approaches
Introducing Extended Berkeley Packet Filter (eBPF)
How it works
Linux kernel diagram
How GD is using eBPF
Getting started with eBPF
eBPF Advantages & Disadvantages
Common eBPF use cases
eBPF @ Amazon
Why eBPF for GuardDuty
System Call Tracing with eBPF
System Call Tracing - Avoiding Race Conditions
Rich Container and Process Context
Collected Metadata Kernel and Userspace
Monitored Events
On-Host Versus Backend Processing
Example Scenario Command Injection Exploitation
Example Scenario Detections
Actionable Detections
Summary