How to identify malicious IP activity using Falco
One of the most common security use cases, is the ability to identify connections generated by malicious actors, or internal components connecting to suspicious servers (e.g malware C&Cs).
In this post, we will show how to leverage the Falco engine, to identify connections made to IPs that were flagged by multiple security sensors, and are streamed as a feed to the Falco engine.
On top of that, we will suggest a workflow, that can be used by security practitioners, that allows not only alerting on such events, but also propagating the data in a way that can help assigning a risk score, and build policies at the broader organization level.
For those of you who are not familiar with Falco, a good starting point will be the following webpage. This post assumes basic familiarity with the Engine.
The end goal is –
- Identify connections to/from malicious IPs using Falco
- Constantly update the list of malicious IPs so we are up to date
- Generate enough supporting information in case of an incident
- Propagate the information throughout the estate, to better estimate the risk and apply the right mitigations
Step 1: Writing the Falco rule
We will take a top-down approach, and start by writing the Falco rule that will help us capture suspicious connections –
Short explanation on the main components:
- Condition – the filter that will be used on the stream of incoming events from Sysdig, to identify whether the rule should be triggered. Falco implements a rich language, that allows a user to create Macros, Lists and reference fields in the event. In our case, we are using one of the built-in macros – (inbound_outbound), that filters out internal traffic. The next thing we would like to achieve, is straightforward as well – if any of the directions of a connection, is a one of the IPs in the malicious IP list, trigger the rule. We will explain how the list is generated in the next section.
- Output – the message we want to display when the rule triggers. Falco allows access to a wide variety of fields, most of them are derived from the open source Sysdig project, and can be found here. One important field is the container ID. Although this rule is not aimed solely for containers, if the originating traffic comes from a container, this will be a useful information to capture.
To complete this step, we will write this rule to a file under
**Step 2: Generate a constantly updated malicious IP list **
A critical aspect of building such a rule, is to make sure we have the latest and greatest list of malicious IPs. An outdated list will generate false positives, or more importantly, miss a critical security event.
To generate the list, we are going to use the open source threat intelligence feed IPsum. This is a comprehensive feed generated from more than 30 different sources.
One great feature this list has, is the amount of sources that identified an IP as suspicious. This will help produce a more robust input, that is less likely to generate false positives. One thing to keep in mind – the list is updated once a day.
A quick and dirty one liner to get a curated list of IPs that appear in more than 5 sources, and generate a Falco list macro from it, can be found below. We will save the generated Falco list into a file named malicous_ips_list.yaml
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt
2>/dev/null | grep -v "#" | grep -v -E "s[1-5]$" | cut -f 1 | sed "s/.*/'"&"',/g"
| tr 'n' ' ' | sed "s/, $//" | sed 's/.*/- list: malicous_ip_list'$'n items: [&]/'
To wrap up this step, we can set a daily cron job to update the file and restart Falco to update the rules.
**Step 3: Update Falco configuration **
Falco allows using multiple configuration files; We can update falco.yaml (by default, under /etc/falco) to use the files we just generated –
Step 4: Testing!
We can run Falco in an interactive shell window by executing the following command – “Falco -U”, and use another shell to initiate a connection from the host to one of the IPs on the list.
If all goes well, the output from Falco should resemble the following –
XX:34:10.01XXXX63: Warning Suspicious connection to/from a malicious IP detected
(command=curl XX.YY.ZZZ.163 connection=XX.YY.ZZZ.WW:33346->YY.WWW.ZZZ.XX:80