[TRACKING] Enhancing Falco rules to mirror robust cloud-native behavior and the diverse sophistication levels of real-world attackers (Falco 0.36)

[incertum]

Motivation

The industry primarily focuses on detecting exploits in vulnerable applications. I propose a slight shift in perspective to also include more upstream rules that address the issue of "identity". This involves creating detections that target more normal activities but performed using unauthorized identities or accesses, often as a result of stolen credentials.

For instance, the rule "Terminal shell in container" serves as a crucial detection for cloud-native behavior, identifying interactive access via the Kubernetes control plane, even potentially with compromised credentials — no traditional RCE required. More such detections are essential.

Additionally, it's important to consider a detection strategy that not only covers various attack TTPs resulting from application exploitation but also accounts for different levels of attacker sophistication or approaches. Even highly sophisticated attackers may occasionally overlook the need for constant stealthiness and trigger these tripwires.

Take the existing detection "Drop and execute new binary in container" for example. It serves as another excellent example of a powerful, generic behavior-based detection. The rule triggers whenever a new binary is executed within a container, irrespective of the attacker's level of sophistication. This approach forces attackers to rely solely on available resources and "living off the land".

In summary, let's continue to enhance the upstream rules, whether by improving existing ones or adding new ones, while maintaining a focus on cloud-native aspects. Additionally, let's incorporate further unsophisticated yet common attack patterns.

Purposely keeping the initial comment more high-level for now, and I will later suggest specific new rules, link them to this issue, and continue editing it.

CC @darryk10 @loresuso @LucaGuerra @leogr

[incertum]

Closing this as considered complete for the Falco 0.36 development cycle. We will open a new issue for the following release to continue the modernization efforts.