Runtime Threat Detection on Kubernetes
Detecting anomalous syscalls, crypto mining, and lateral movement with Falco and SIEM integration.
Runtime Threat Detection on Kubernetes
Why runtime matters
Configuration and image scanning cannot catch in-memory exploits, stolen tokens used at runtime, or insider abuse.
Falco overview
Falco uses kernel events (eBPF) to detect suspicious behavior:
- Shell spawned in production container
- Unexpected outbound connection to metadata IP
- Write to
/etcor sensitive paths - Crypto miner process patterns
Example rule (conceptual)
- rule: Shell in Container
desc: Detect shell execution in running container
condition: spawned_process and container and proc.name in (bash, sh, zsh)
output: Shell spawned in container (user=%user.name container=%container.name)
priority: WARNINGResponse playbook
- Alert → SIEM with pod, namespace, image digest
- Triage Known deploy vs anomaly
- Contain NetworkPolicy deny-all on pod; scale to zero if critical
- Forensics Capture logs, memory dump policy, rotate secrets
- Post-incident Patch image, tighten admission policy
Integration
Forward Falco events to Elasticsearch/Loki → Grafana dashboards → PagerDuty for critical rules only.