CanSecWest 2022 has ended
Back To Schedule
Thursday, May 19 • 13:15 - 14:15
Bypassing Falco: Cluster Compromise without Tripping the SOC

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The explosive growth in the usage of Kubernetes container clusters has left security professionals scrambling to find and deploy innovative tools to address the inherent security risks. One such tool is The Falco Project, originally created by Sysdig. It's an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and Cloud. If a rule is violated, Falco will send an alert notifying of the violation and its severity.

In this talk I will present my research on various techniques to silently bypass the default Falco ruleset (based on pre-latest v0.30.0). I will demonstrate nine different classes of bypasses, seven of which are novel and have never been presented. I will also introduce the special container image and multiple code snippets built specifically for Falco bypasses. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To wrap up, I will apply the bypass techniques on the example of the GKE Kubernetes cluster and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC.

This research was presented to Falco team in July and a partial sequence of fixes has made it into v0.31.0. The material for the talk is kept in a private github repo and will be made available to the public before the talk.

avatar for Shay Berkovitch

Shay Berkovitch

Researcher, Blackberry
Shay is a Security Researcher at BlackBerry working with the Security Research Group on various aspects of container security. He worked previously at Blue Coat Systems and Symantec on WAF, SWG and other network security solutions. Shay holds a Masters’ degree from UW with (somewhat... Read More →

Thursday May 19, 2022 13:15 - 14:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9