Advanced Threat Detection and Mitigation in Kubernetes Environments using eBPF

We'll explore how eBPF can be used for both observability and security in Kubernetes environments. While eBPF is already being used for passive security to provide warnings for possible malicious behaviour, it can also be used for active defence by correlating different actions happening in the system. By creating a decision tree to link different events together and prevent a final outcome eBPF can be the key for no-touch active security. Observing the decision tree over a period of time, we can find patterns and improve it. Looking at a specific attack scenario from a technical perspective: a file is downloaded on the system, a user makes it executable, executes it and then a new connection with the outside world is made and out precious data will be leaked. eBPF has the ability to detect any syscall or function. By leveraging that we can have a eBPF map that will chain the possible syscalls together and mitigate the final step by either returning the syscall early or stopping it.