Runtime Monitoring and Threat Detection

Runtime Monitoring and Threat Detection

Runtime monitoring detects attacks that bypass preventive controls. System call monitoring identifies unusual behavior patterns. File integrity monitoring detects unauthorized modifications. Network traffic analysis reveals data exfiltration attempts. Process monitoring catches malicious executables. Comprehensive monitoring enables rapid incident detection and response.

Runtime security tools like Falco provide real-time threat detection for containers. Rule-based detection identifies known attack patterns. Behavioral analysis catches novel threats through anomaly detection. Integration with container orchestrators provides context for security events. Alert routing ensures appropriate team notification without overwhelming operations.

# Example: Falco rules for container runtime security
- rule: Terminal shell in container
  desc: Detect interactive shell spawned in container
  condition: >
    spawned_process and 
    container and 
    shell_procs and 
    proc.tty != 0 and 
    not container.image.repository in (allowed_shells_containers)
  output: >
    Interactive shell spawned in container 
    (user=%user.name %container.info proc=%proc.cmdline tty=%proc.tty)
  priority: WARNING
  tags: [container, shell, interactive]

- rule: Sensitive file access in container
  desc: Detect access to sensitive files from container
  condition: >
    open_read and 
    container and 
    sensitive_files and 
    not proc.name in (allowed_procs) and
    not container.image.repository in (monitoring_containers)
  output: >
    Sensitive file opened for reading by container 
    (file=%fd.name proc=%proc.cmdline %container.info)
  priority: ERROR
  tags: [container, filesystem, sensitive_data]

- rule: Container privilege escalation
  desc: Detect privilege escalation in running container
  condition: >
    evt.type = setuid and 
    container and 
    not container.privileged and
    useruid != 0 and 
    evt.arg.uid = 0
  output: >
    Privilege escalation detected in container 
    (uid=%useruid to=0 proc=%proc.cmdline %container.info)
  priority: CRITICAL
  tags: [container, privilege_escalation]

- rule: Cryptocurrency mining detected
  desc: Detect cryptocurrency mining in containers
  condition: >
    spawned_process and 
    container and
    (proc.name in (crypto_miners) or 
     proc.cmdline contains "stratum+tcp" or
     (net.connection and fd.sport in (crypto_ports)))
  output: >
    Cryptocurrency mining detected in container 
    (proc=%proc.cmdline %container.info connection=%fd.name)
  priority: CRITICAL
  tags: [container, cryptomining, malware]

# Custom macros for reusable conditions
- macro: sensitive_files
  condition: >
    fd.name startswith /etc/shadow or
    fd.name startswith /etc/sudoers or
    fd.name startswith /etc/pam.d or
    fd.name contains id_rsa or
    fd.name contains id_dsa or
    fd.name contains .aws/credentials

- macro: shell_procs
  condition: >
    proc.name in (ash, bash, csh, ksh, sh, tcsh, zsh, dash) or
    proc.name = python and proc.cmdline contains "-c" or
    proc.name = perl and proc.cmdline contains "-e"

- macro: crypto_miners
  condition: >
    proc.name in (minerd, xmrig, cgminer, bfgminer, ethminer, 
                   equihash, minergate, nheqminer)

- list: crypto_ports
  items: [3333, 4444, 5555, 7777, 8333, 8888, 9999, 14444, 45700]

- list: allowed_shells_containers
  items: [debug-tools, development]

- list: monitoring_containers
  items: [falco, datadog-agent, prometheus-node-exporter]