Linux Security Fun With Webhooks

At Capsule8, we want to let you work the way you prefer working rather than forcing new workflows on you. To realize this philosophy, we designed Capsule8 to be super flexible and let users consume alert data in familiar ways — such as through the use of webhooks. Since REST APIs are the lifeblood of the web, webhooks let Capsule8 play nicely with anyone leveraging them.

While webhooks are nothing new, we wanted to talk about some of the most valuable use cases for SecOps teams, ranging from simpler workflow integration to crafty deception strategies. Webhooks let you keep using the apps you like using in your workflows, offer immediate alerting into third-party apps, and also can reduce the amount of manual effort required in responding to incidents.

In this post, we’ll talk about four webhook use cases with Capsule8 — alerting your team through Slack / PagerDuty, creating tickets with JIRA, automating responses via AWS Lambda, and performing bait and switch moves against attackers.

Alert your team through Slack / PagerDuty

One of the most straightforward use cases for webhooks is pushing alerts to Slack or PagerDuty. We would be remiss not to mention that this isn’t a great idea if your alerting systems generate a bunch of content, but our approach minimizes false positives to avoid Slack channels becoming spam channels. We allow you to add custom text to alerts, too, not just rely on the objects already present in our alerts:

The same functionality can be applied to PagerDuty to page people on-call to inform them that they need to investigate an event, with whatever details from Capsule8 your team prefers being part of the alert. If you only care about the strategy name and process information as in the example above, that’s totally fine! You can filter what’s contained in the alerts for exactly what you data want.

Create tickets with JIRA

Manually creating JIRA tickets is a buzzkill. Wouldn’t it be better to automatically create tickets for alerts or when policy violations occur? And, wouldn’t it be great not to have a wall of JSON filling up the new ticket? Capsule8’s sensor plus a webhook help you do this. Your webhook template can include whatever relevant info from the alert you desire in your JIRA ticket, such as investigation steps that are required for particular alert types.

For those wanting FIM functionality (since FIM is the underpinning of nearly every compliance standard, after all), you could create a ticket every time someone opens a specific file that isn’t a specified user. While there are other Ops tools that do this, you could also create tickets related to performance issues, like if the CPU goes above 90% overhead, because Capsule8 has access to performance counters.

Automate responses via AWS Lambda

If you aren’t familiar, AWS Lambda is a compute service that can automatically run code you upload using AWS’s infrastructure (it’s that “serverless” buzzword about which you’ve heard). Because AWS Lambda’s functionality itself is so broad, there are a ton of useful activities you can automate using Capsule8 alerts + a webhook connection to AWS Lambda functions — though you can build whatever sort of functions you want with it.

A few of the use cases with Lambda we think are coolest include:

  • Scaling down requests to your apps within EC2 instances upon alert of a container escape
  • Spinning up a new production database server based on its most recent snapshot upon violation of file policy
  • Automatically snapshotting an infected instance for forensic examination later
  • Triggering deeper monitoring functions upon alert of privilege escalation
  • Expiring API security keys upon alert of access

While Capsule8 can clean up an infected process on the host, if we see a fancy kernel exploit and we can’t kill it just through the process, we can trigger Lambda to nuke the VM and rebuild it in real-time. Thus, even if there’s some super sophisticated kernel exploit that locks us out, we’ll alert out to Lambda, who can handle the containment with ease.

A webhook for Azure Automation runbooks or Google Cloud Functions can be used for similar functionality to the above.

Bait & switch attackers

Once you’ve tackled all the workflow optimization above, perhaps you’re itching to unleash your creativity. If so, we’ll gladly offer you a rabbit hole to explore — the art of the bait and switch. By using a webhook, Capsule8 can let you turn a production instance into a honeypot on the fly.

For instance, let’s say Capsule8 detects that SMEP/SMAP was disabled. You could customize the alert with a webhook that kicks off a trigger which:

  1. Takes the VM in question out of service
  2. Migrates it out of production
  3. Makes sure network connections are established
  4. Turns on more intensive monitoring
  5. Automatically redeploys another instance to production to replace the infected VM (so all prod requests are still handled)

You could get even fancier, however, because once you create this hall of mirrors, you can do whatever you want to it. Intelligence on how attackers respond to certain scenarios can be valuable in refining your assumptions about attacker behavior (particularly if you employ decision trees in your strategic decision-making process).

So, within this hall of mirrors, you could begin randomly deleting files the attacker is using to see how they react and what tactics they’re forced to try next. Or, if you are feeling a bit like a cat wanting to toy with their prey, you can slow down networking to satellite-link speeds to not just frustrate the attacker, but see how they change their methods in response.

Of course, it takes more time to set up these kinds of triggers, but messing with attacker behavior can be both fun and illuminating. A webhook isn’t the only way to do this, but we think combining our alerts with a webhook can present one of the easiest ways to do so.

Conclusion

Capsule8’s webhook ability means you can use alerts to fuel nearly every kind of functionality you want — from simpler workflow optimization to leet strategies for screwing with the attacker’s own workflow. If you have creative ideas for what kind of webhook templates you’d use to power your security or ops program, drop us a line at [email protected] or @Capsule8 on Twitter — we’d love to collabor8!