Detect cloud-native security threats with Tracee

Detect cloud-native security threats with Tracee

The cloud-native threat landscape is constantly evolving. Investigation of Aqua Team Nautilus in 2021 revealed higher levels of attack sophistication and an increase in the volume of attacks targeting container infrastructure. The study showed that vulnerable containers could be exploited in less than an hour, underscoring the importance of real-time threat detection and visibility in cloud-native environments.

To be effective, threat detection must include the breadth of workloads for a cloud-native environment, including containers, virtual machines, and serverless functions with the ability to detect tactics used in attacks targeting cloud-native environments. Cloud. Importantly, detection must occur in real time and be minimally disruptive to production.

These key attributes were important factors behind the creation of Track, Aqua Security’s open source cloud-native runtime security and forensic tool for Linux. Uses of Tracee eGMP technology to track systems and applications at runtime and analyze collected events to detect suspicious behavior patterns. As a result, teams can protect their containers and ensure that applications remain online and secure. Tracee is rapidly gaining adoption and now has almost 2,000 stars on GitHub and an active community of users and contributors.

A brief introduction to eGPP

eBPF is a relatively new approach to introducing extensibility into the Linux kernel in a safe, efficient, and flexible way. eBPF programs can be loaded into the kernel and triggered by many different types of events, including network, security, and basic lifecycle events in the kernel.

An example of eBPF’s strengths is identifying anomalous application behavior, such as writing files to important system directories. eBPF code can be executed in response to file events to check if they are expected for the specific workload. Because it is your code, it can collect any kind of meaningful data that is otherwise difficult or inefficient to obtain. This opens the door to many sophisticated detection techniques.

Tracee’s Evolution

Tracee began as an internal tool that allowed Aqua’s research unit, Team Nautilus, to collect events on working containers. The goal was to develop a powerful tracking tool that was designed from the ground up for security. The first version focused on basic event gathering. The team began adding features incrementally, building Tracee into a holistic security tool, and released it to the community as an open source project in September 2019. This enabled practitioners and researchers to benefit from Tracee’s capabilities, while Aqua got useful information from the community. to improve the tool. New features have been added along the way, such as the ability to capture forensic evidence, an accurate filtering mechanism, and additional integrations.

In February 2021, Aqua released version 0.5.0 of Tracee, which marked the beginning of Tracee’s evolution from a system sniffing CLI tool to a runtime security solution with behavioral analysis capabilities, thanks to the introduction of a rule engine and rule library that detects the different patterns of suspicious behavior that Aqua identifies.

Trace Today: A Powerful OSS Security Tool

Since its inception in 2019, Tracee has grown from an open source system tracking tool to a robust runtime security solution that includes a CLI tool, a Go library for writing eBPF programs, and a rules engine for processing tracee-ebpf events and detect suspicious activity. . Tracee is delivered as a Docker image that is easy to run. A Kubernetes installer makes it easy to use Tracee to protect clusters and consume detections conveniently.

Tracee comes with a basic set of rules (called signatures) out of the box that cover a variety of attacks and evasion techniques. Users can extend Tracee by writing their own signatures. The signatures are written in Rego, which is the language behind the Cloud Native Computing Foundation’s popular Open Policy Agent project. This allows users to reuse their existing skills and tools and create expressive signatures in a mature language.

In addition to open source signatures, paying customers gain access to a comprehensive database of signatures created and maintained by Aqua’s research team, Nautilus, which continually assesses real-world advances in cybersecurity and builds mitigations on an ongoing basis. of Tracee signatures.

Unlike many other detection engines, Tracee has used eBPF from the start and collects all system calls (around 330), as well as other security-oriented events, right out of the box. While other solutions rely on kernel modules that can affect system stability and leave gaps with system call tracking, Tracee’s use of eBPF is safe and effective, and Tracee has well thought out features that prevent evasion by attackers.

For example, by default, Tracee encourages tracking LSM (Linux Security Module) events instead of system calls when appropriate. Linux security modules are a set of pluggable hooks that are intended to be used by security tools. For example, instead of tracing the open/openat system call, Tracee can trace the LSM event security_file_open, which is more accurate, reliable, and safe to use for security purposes.

Recent updates to Tracee include portability between kernel versions using the Build Once – Run Everywhere approach, which removes the need to compile the eBPF probe or provide kernel headers. The original approach requires a recent Linux kernel with BTF (BPF Type Format) support. But Tracee solves this and supports older kernels using a novel approach that is open source and partly carried over to the Linux project itself. This is covered in the open source project. btfhub.

Tracee’s role in cloud-native detection and response

Tracee is the foundation of Aqua’s Dynamic Threat Analysis (DTA) product, a sandbox scanner that scans running containers. Capable of detecting malicious containers that traditional scanning tools can’t find, DTA is a vital part of Aqua’s industry-leading cloud-native detection and response (CNDR) solution. CNDR uses a growing body of hundreds of behavioral indicators to identify low-level eBPF event attacks, which Tracee reveals. DTA, CNDR and Tracee combine behavioral indicators from a dedicated cloud-native security research team with eBPF events for real-time threat detection at runtime.

Tracee’s Role in Aqua’s OSS Ecosystem

Tracee is part of Aqua’s family of open source cloud-native security projects. Aqua sees open source as a way to democratize security and educate engineering, security, and development teams through accessible tools, lowering the barrier to entry to cloud-native security. Aqua’s other open source project is Trivy, the world’s most popular open source vulnerability scanner. Trivy helps teams “shift left” to incorporate safety into the build pipeline. Trivy scans code and artifact repositories for vulnerabilities, infrastructure misconfigurations as code and secrets, and generates SBOMs (software bills of materials), among other capabilities.

These projects integrate with Aqua’s Cloud Native Application Protection Platform (CNAPP) and many commonly used devops ecosystem tools to help drive faster adoption of cloud-native technologies and processes, while maintaining safety. Aqua OSS projects are created and maintained by the Aqua Open Source team, which operates separately from commercial engineering to uphold the company’s commitment to providing reliable open source solutions, continuing to develop new features, and addressing feedback. of users, and continually contributing to other projects within the open source community.

Itay Shakury is open source director at water safety, where he leads the development of industry-leading, open source, cloud-native security solutions. Itay has nearly 20 years of experience in various development, architecture, and product roles. Itay is also a CNCF Cloud Native Ambassador and leads community initiatives such as technology meetups and conferences.

New Tech Forum provides a venue to explore and discuss emerging business technology in unprecedented depth and breadth. The selection is subjective, based on our choice of technologies that we believe are important and of most interest to InfoWorld readers. InfoWorld accepts no marketing collateral for publication and reserves the right to edit all contributed content. Please send all inquiries to

Copyright © 2022 IDG Communications, Inc.

Leave a Comment