At CloudNativeSecurityCon 2023 ~ Using eBPF to Identify Suspicious Behavior
At CloudNativeSecurityCon2023 in Seattle, Washington, AWS engineers Jeremy Cowan and Wasiq Muhammad discussed suspicious behavior identification using eBPF, its use cases, and how AWS uses it for threat detection and protection. announced what they were doing.
Cowan begins by highlighting the challenges information security practitioners face today, namely the impact of threat detection and runtime event monitoring on stability and performance. We also discuss the ability to separate signal and noise.
After introducing various approaches to overcoming these challenges, he introduces eBPF and explains why it’s useful for networking, security, and observability use cases.
Then he talked about the advantages and disadvantages of eBPF, and introduced how eBPF is used in AWS products such as Lambda, VPC CNI, and GuardDuty.
eBPF was a hot topic in the event’s six breakout sessions, as well as a keynote from Isovalent’s Chief Open Source Officer, Liz Rice. In her keynote, Liz showed how to use eBPF to visually solve security problems. InfoQ sat down with Liz to discuss eBPF, events, and cloud-native security.
I’ve been interested in eBPF since 2017. At the time, it required a state-of-the-art core, but I think it would end up being an interesting and useful technology base. Everyone is now running a kernel that can take advantage of eBPF. There are some great eBPF-based tools that allow you to see what’s going on in userspace from the kernel’s perspective. It is very powerful and can fetch powerful data. Whether it’s helping people understand how to operate their platforms, diagnosing issues, or helping build security tools, great tools now bring us wealth. I feel like we are standing on the threshold of a bright future.
Muhammad then explained system call tracing using eBPF and the ability to retrieve system call arguments and data about the process.
※ Provided by CNCF
He emphasized that eBPF can provide rich context for containers and processes, and said users want container-level detail in monitoring and threat detection. For example, eBPF can detect events related to container creation, file system access, network communication, and interaction with other containers.
He also noted that AWS has decided to do event processing on the back end rather than on the host, which gives it more flexibility in applying threat intelligence or leveraging machine learning. .
Muhammad concludes by describing an example scenario where a cryptominer is downloaded and run in a container to connect to a mining pool, explaining how eBPF-based monitoring and detection can provide protection.
Cowan concluded by highlighting the benefits of using eBPF for threat detection, combined with the power of the cloud and AI/ML, can help detect even the hardest-to-find information.
eBPF is a mechanism for securely executing sandboxed applications within the operating system kernel without modifying the kernel source code.
Recordings of the breakout sessions are available on the CNCF’s Youtube channel. Presentation slides are available on the event webpage.