Runtime Protection

CloudGuard Runtime Protection for Kubernetes aims to analyze running Kubernetes workloads and detect malicious, unwanted, or abnormal behavior.

The protection is based on near real-time monitoring of Kernel system calls performed by workload containers and is implemented as a combination of two engines:

  • Signatures - compare the observed behavior of a workload with known signatures potentially indicating malicious behavior (e.g., execution of processes associated with crypto-mining software)

  • Profiling - detect anomalies in behavior compared to a 'baseline' profile created during a dedicated profiling phase (e.g., execution of sub-process not observed during regular workload operation, which may indicate an RCE attack). Detection of unwanted, malicious, or anomalous behavior results in security events reported in the CloudGuard portal.

Architecture

Instructions

Step

Instructions

1

Connect to the Kubernetes Server VM via SSH Client via one of the following options:

  • Click on the Kubernetes Server VM on the Environment Viewer page.

  • Connect from the Putty client on the Windows-Console VM.

    Key

    Value

    IP Address

    10.160.131.158

    Username

    root

    Password

    Cpwins1!

2

In the SSH window, execute the following command to shorten the Runtime Protection Daemon from 5 minutes to 30 seconds.

Copy 
kubectl -n checkpoint set env ds asset-mgmt-runtime-daemon RP4C_BASELINE_REPORT_INTERVAL="30"

3

Check the status of the agent using the following command:

Copy 
kubectl get pods -n checkpoint -l app.kubernetes.io/name=asset-mgmt-runtime-daemon

Kubernetes redeploys the agents with the new setting, and that may take a few seconds.

4

 

To set up the website, execute the following commands:

Copy 
helm repo add cheap-websites https://raw.githubusercontent.com/chkp-ivanmar/cpx-2021-demo/main/repository/
helm install shop cheap-websites/cpx-sushi --set service.type=NodePort --namespace sushi-shop --create-namespace
kubectl get svc -n sushi-shop

The output should look like this:

5

Run the following commands to receive the link for the shop-cpx-sushi website:

Copy 
sudo apt install jq -y
Copy 
export NODEPORT=$(kubectl get svc -n sushi-shop -o json | jq -r '.items[0].spec.ports[0].nodePort')
export NODEIP=$( kubectl get nodes -o json | jq -r '.items[0].status.addresses[0].address')
echo "open in browser http://$NODEIP:$NODEPORT/"

6

From the Windows-Console VM , Open Chrome browser and navigate to the address received on Step 5.

7

From the CloudGuard Portal:

Navigate to the Protected Assets section in the Assets tab and filter for your Kubernetes environment by adding an Environment filter and choosing your environment name.

8

Add filter for Asset Type: Kubernetes Deployment and Search for the shop-cpx-sushi Kubernetes deployment.

Note - It may take up to 5 minutes for the Deployment to appear.

It is possible to speed up the process by restart the inventory agent:

Copy 
kubectl delete pods -n checkpoint -l app.kubernetes.io/name=asset-mgmt-inventory-agent

9

Click on the shop-cpx-sushi Kubernetes deployment object and you will be redirected to it under the protected assets tab.

10

Navigate to the Runtime protection section and check that the relevant processes have been added to the profile and the protection is enabled:

11

Open the profile settings, and change the timer from 1 day to 5 minutes and press SAVE:

If you change the profile time to a smaller value than the time that has already passed, it will immediately finalize the current profile.

Important - Finalizing the profile can take up to 5 minutes and at the end you will see that all process has run-time protection.

12

Let’s trigger a signature alert, execute the following commands on the Kubernetes Server:

Copy 
export P=$(kubectl get pods -n sushi-shop -o=jsonpath='{.items[0].metadata.name}');
kubectl exec -n sushi-shop $P -- curl www.facebook.com

OR if curl doesn’t exist

Copy 
kubectl exec -n sushi-shop $P -- /bin/sh -c eicar.cptest

The execution command will fail but it will trigger an alert event even though the profile learning period has not been completed.

13

Navigate to the 'Threats & Security Events' tab to view the alert (it can take several minutes until the event will appear).

If you are unsure if all the processes have been observed, restart the Pod. You can observe the startup processes by executing the following command:

Copy 
kubectl delete pods -l app.kubernetes.io/instance=shop -n sushi-shop

14

Refresh the website and click on a few links to show additional details.