This section will give you an overview of the Detection features that Capsule8 regularly updates. The specific Detection Analytics and Smart Policy detections will be described and updated in release notes with each content release.
Capsule8’s Detection Analytics are designed to provide diverse, overlapping layers of system security monitoring to cover the many facets of an attack. Our philosophy is not that we should create detection methods for specific security vulnerabilities or exploits, but instead to cover attack categories and entire vulnerability classes by detecting the low-level behaviors required to carry out an exploit or other security violation. Therefore, our detections are geared towards low-level system monitoring, providing a lightweight mechanism for the observation and detection of behavioral events which are indicators of malicious behavior within an organization’s environment.
Capsule8 breaks up Detection Analytics into the following classes. These detections are set to minimize both false positives and performance impact (CPU and network utilization). Most of these detections are enabled by default. Capsule8 provides additional detections that are disabled by default – these can be enabled to provide more aggressive detection at the risk of performance or false positives.
Application Exploitation: exploitation of vulnerabilities in Linux applications, including memory corruption, unusual application behavior, and container escapes
System Exploitation: exploitation of vulnerabilities in the underlying Linux system, such as privilege escalation, tampering of security mechanisms (e.g. SELinux), use of common kernel exploitation methods, and container escapes
Persistence: retention of access across host restarts, including kernel backdoors or userland backdoors
Smart Policy detections are based on unwanted system behavior, rather than active exploitation techniques (like in Detection Analytics). These behaviors only generate alerts when observed in a process already deemed malicious by a Detection Analytics detection, since in isolation the behavior likely would not qualify as a malicious activity.
For example, if a malicious interactive shell is detected through Detection Analytics, an alert will be generated. If a
chmod event occurs within that interactive shell, that
chmod event would be associated with the interactive shell incident via Smart Policy, thus making it worthy of an alert. Without an association with a malicious process, the
chmod event would not have created an alert. (Note: the Audit Trail feature including in the Enterprise tier would still record the
chmod event, even without the association).
Smart Policy detections are divided into four different groups that indicate the type of behavior being monitored. These are presented below, along with general categories of detected behavior.
File Activity: includes changes to system binaries, configuration changes, file deletion, and unusual files created
Network Activity: includes lateral movement, network service behavior, and network sniffing
Process Activity: includes abnormal process execution, compiler usage, debugging, scheduled task changes
User Activity: includes privileged command usage, risky developer activity, and user account changes
Capsule8 Complete enables more detailed logging and tracing of system activity through Audit Trail detections. These detections include Smart Policy detections, but also monitor additional system behavior that would never be escalated to a full alert. Audit Trail detections use the same detection classes as Smart Policy: File Activity, Network Activity, Process Activity and User Activity.