One of the most common security use cases, is the ability to identify connections generated by malicious actors, or internal components connecting to suspicious servers (e.g malware C&Cs).
In this post, we will show how to leverage the Falco engine, to identify connections made to IPs that were flagged by multiple security sensors, and are streamed as a feed to the Falco engine.
On top of that, we will suggest a workflow, that can be used by security practitioners, that allows not only alerting on such events, but also propagating the data in a way that can help assigning a risk score, and build policies at the broader organization level.
For those of you who are not familiar with Falco, a good starting point will be the following webpage. This post assumes basic familiarity with the Engine.
The end goal is –
Step 1: Writing the Falco rule
We will take a top-down approach, and start by writing the Falco rule that will help us capture suspicious connections –
Short explanation on the main components:
To complete this step, we will write this rule to a file under/etc/falco/malicious_ips_rule.yaml
**Step 2: Generate a constantly updated malicious IP list **
A critical aspect of building such a rule, is to make sure we have the latest and greatest list of malicious IPs. An outdated list will generate false positives, or more importantly, miss a critical security event.
To generate the list, we are going to use the open source threat intelligence feed IPsum. This is a comprehensive feed generated from more than 30 different sources.
One great feature this list has, is the amount of sources that identified an IP as suspicious. This will help produce a more robust input, that is less likely to generate false positives. One thing to keep in mind – the list is updated once a day.
A quick and dirty one liner to get a curated list of IPs that appear in more than 5 sources, and generate a Falco list macro from it, can be found below. We will save the generated Falco list into a file named malicous_ips_list.yaml
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt
2>/dev/null | grep -v "#" | grep -v -E "s[1-5]$" | cut -f 1 | sed "s/.*/'"&"',/g"
| tr 'n' ' ' | sed "s/, $//" | sed 's/.*/- list: malicous_ip_list'$'n items: [&]/'
> /etc/falco/malicious_ips_list.yaml
To wrap up this step, we can set a daily cron job to update the file and restart Falco to update the rules.
**Step 3: Update Falco configuration **
Falco allows using multiple configuration files; We can update falco.yaml (by default, under /etc/falco) to use the files we just generated –
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d
- /etc/falco/malicious_ips_list.yaml
- /etc/falco/malicious_ips_rule.yaml
Step 4: Testing!
We can run Falco in an interactive shell window by executing the following command – “Falco -U”, and use another shell to initiate a connection from the host to one of the IPs on the list.
If all goes well, the output from Falco should resemble the following –
XX:34:10.01XXXX63: Warning Suspicious connection to/from a malicious IP detected
(command=curl XX.YY.ZZZ.163 connection=XX.YY.ZZZ.WW:33346->YY.WWW.ZZZ.XX:80
user=xxxx container_id=host)