Skip to main content
Calico Cloud documentation

Container threat detection

Protect your cluster with our eBPF runtime threat detection engine, which detects malware and suspicious process activity in your containers.

Value

Calico Cloud provides a threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity.

As part of these threat detection capabilities, Calico Cloud maintains a database of malware file hashes. This database consists of SHA256, SHA1, and MD5 hashes of executable file contents that are known to be malicious. Whenever a program is launched in a Calico Cloud cluster, malware detection generates an alert in the Security Events Dashboard if the program's hash matches one that is known to be malicious.

Our threat detection engine also monitors activity within the containers running in your clusters to detect suspicious behavior and generate corresponding alerts. The threat detection engine monitors the following types of suspicious activity within containers:

  • Access to sensitive system files and directories
  • Command and control
  • Defense evasion
  • Discovery
  • Execution
  • Impact
  • Persistence
  • Privilege escalation

Before you begin...

Required

Calico Cloud Container threat detection uses eBPF to monitor container activity, and it runs on Linux-based nodes in a Kubernetes cluster.

Nodes require amd64 (x86_64) architecture CPUs and one of the following distributions:

  • Ubuntu Bionic with kernel version 4.15.0 or 5.4.0
  • Ubuntu Focal with kernel version 5.4.0, 5.8.0 or 5.11.0
  • CentOS 7 or 8
  • Fedora 29, 30, 31, 32, 33 or 34
  • Amazon Linux 2
  • Debian Stretch or later
  • Any other distribution with a Linux kernel 5.0 or later that provides BPF Type Format (BTF) for that kernel at the standard place (/sys/kernel/btf/vmlinux)
note

If your nodes are running a variant kernel, or a similarly-modern kernel but with another platform, please open a Support ticket so we can bundle the BTF data to precisely match the version of the kernel running on your cluster nodes.

How to

Enable Container Threat Detection

Container threat detection is disabled by default.

To enable Container threat detection on your managed cluster, go to the Threat Defense section in the Calico Cloud UI, and select Enable Container Threat Detection. This will result in Container threat detection running on all nodes in the managed cluster to detect malware and suspicious processes.

Alternatively, Container threat detection can be enabled using kubectl:

kubectl apply -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: RuntimeSecurity
metadata:
  name: default
EOF

Monitor the Security Events page for malicious programs

If a malicious or suspicious program is run within the cluster, it will be reported on the Security Events page of the Calico Cloud UI.

malware-alert-example

Exclude a process from Security Events alerts

You can turn off Security Events alerts for processes in your cluster that you know to be safe.

To create an exception, add the process to the Runtime Security resource with kubectl:

Example RuntimeSecurity CR with exceptions
kubectl apply -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: RuntimeSecurity
metadata:
  name: default
spec:
  runtimeExceptionList:
    - matching: Exact
      processInvocation: "runc init"
      namespace: default
    - matching: Regex
      processInvocation: "\b(shred|rm|mv).*((bash|ash|zsh|fish|fish_read)_history|history)\b"
EOF

The matching field can take one of two values: Exact or Regex. Setting the matching field to Regex allows you to pass a regular expression to capture more than one value for each field. Whereas Exact would require each field to be an exact match.

Update detectors settings

Threat detection capabilities are provided by detectors that protect against specific MITRE techniques. Detectors are grouped by the MITRE tactics they protect against. Additional information for each detector can be found by clicking on a detector. All detectors are enabled by default, with the option of disabling specific detectors if needed.

CTD Detector Settings

Configure detectors via RuntimeSecurity Custom Resource

Detector settings configured through the UI are stored in the cluster's RuntimeSecurity custom resource. When configuring multiple clusters, the same configuration can be applied to all clusters.

Get the reference detectorsConfig:

detectorConfig="$(kubectl get runtimesecurities.operator.tigera.io default -o jsonpath="{.spec.detectorsConfig}")"

Container Threat Detection can be enabled with the desired configuration in a single command:

kubectl patch -n tigera-runtime-security runtimesecurities.operator.tigera.io default --type='merge' -p="{\"spec\":{\"detectorsConfig\": $detectorsConfig}}"

Container activity logs in Kibana

Lower-level reports for file and process activity are captured for your cluster in Kibana using the index pattern tigera_secure_ee_runtime*. Please note that most of these reports are not usually malicious; they constitute the raw data against which known malicious program fingerprints and activity patterns are compared. Suspicious and known malicious activity is reported on the Security Events page of the Calico Cloud UI.