Categories of detections – Capsule8

This section will give you an overview of the Detection features that Capsule8 regularly updates. The specific Detection Analytics and Smart Policy detections will be described and updated in release notes with each content release.

Detection Analytics

Capsule8’s Detection Analytics are designed to provide diverse, overlapping layers of system security monitoring to cover the many facets of an attack. Our philosophy is not that we should create detection methods for specific security vulnerabilities or exploits, but instead to cover attack categories and entire vulnerability classes by detecting the low-level behaviors required to carry out an exploit or other security violation. Therefore, our detections are geared towards low-level system monitoring, providing a lightweight mechanism for the observation and detection of behavioral events which are indicators of malicious behavior within an organization’s environment.

Capsule8 breaks up Detection Analytics into the following classes. These detections are set to minimize both false positives and performance impact (CPU and network utilization). Most of these detections are enabled by default. Capsule8 provides additional detections that are disabled by default – these can be enabled to provide more aggressive detection at the risk of performance or false positives.

Detection classes

Application Exploitation: exploitation of vulnerabilities in Linux applications, including memory corruption, unusual application behavior, and container escapes

System Exploitation: exploitation of vulnerabilities in the underlying Linux system, such as privilege escalation, tampering of security mechanisms (e.g. SELinux), use of common kernel exploitation methods, and container escapes

Persistence: retention of access across host restarts, including kernel backdoors or userland backdoors

Smart Policy

Smart Policy detections are based on unwanted system behavior, rather than active exploitation techniques (like in Detection Analytics). These behaviors only generate alerts when observed in a process already deemed malicious by a Detection Analytics detection, since in isolation the behavior likely would not qualify as a malicious activity.

For example, if a malicious interactive shell is detected through Detection Analytics, an alert will be generated. If a chmod event occurs within that interactive shell, that chmod event would be associated with the interactive shell incident via Smart Policy, thus making it worthy of an alert. Without an association with a malicious process, the chmod event would not have created an alert. (Note: the Audit Trail feature including in the Enterprise tier would still record the chmod event, even without the association).

Smart Policy detections are divided into four different groups that indicate the type of behavior being monitored. These are presented below, along with general categories of detected behavior.

Detection Classes

File Activity: includes changes to system binaries, configuration changes, file deletion, and unusual files created

Network Activity: includes lateral movement, network service behavior, and network sniffing

Process Activity: includes abnormal process execution, compiler usage, debugging, scheduled task changes

User Activity: includes privileged command usage, risky developer activity, and user account changes

Audit Trail

Capsule8 Enterprise enables more detailed logging and tracing of system activity through Audit Trail detections. These detections include Smart Policy detections, but also monitor additional system behavior that would never be escalated to a full alert. Audit Trail detections use the same detection classes as Smart Policy: File Activity, Network Activity, Process Activity and User Activity.

Updates to Detection Content

Capsule8 Detection Analytics and Smart Policy features are designed to allow you to regularly update them with new content from Capsule8, while retaining any tweaks you made to adjust detection content for your environment. The updates allow for “constrained” customizations, such as changing the alert priority or adding items to allowlists for your environment.