All Blogs

Goal Oriented in Soccer and for Customers: Capsulator Austin Britt
Austin Britt, director of sales engineering, has been with Capsule8 since 2018. In his time as a member of the team, he’s seen the company grow from no revenue and no customers to the thriving, but still scrappy, operation that is redefining Linux protection for the enterprise. Those early days bring a smile to Austin’s […]
Harini Kannan
Tending Bonsai and Analyzing Tons of Data: Capsulator Harini Kannan
Harini Kannan is a data scientist at Capsule8. She joined us in May of 2017 as a data science intern after graduating from the University of Texas, Arlington, and has been working with us full-time since December 2017. In the nearly three years she’s been a Capsulator, Harini has been an important part of the […]
SecOps Tiers
No More Tiers: Reimagining the Structure of SecOps
Why not both? I’m not sure who thought that arbitrary hierarchical silos among a team of individual contributors was good for team morale and load-balancing, but here we are. During a recent guest appearance on the Purple Squad Security podcast, I described my last role working on a security operations team that handled incident response […]
RAMming Down Hype via Intel CSME
Recently, security researchers found new vectors of exploiting a vulnerability in Intel CSME, CVE-2019-0090, affecting all Intel chips other than Generation 10 (Ice Lake). The researchers haven’t released exploitation details yet, but proclaimed that “utter chaos will reign”… but not by exploiting this vulnerability! Instead, there’s a potential for chaos if attackers figure out how […]
What is container security?
What is Container Security?
Container Security – Nobody Knows What It Means But It’s Provocative The current understanding of “container security” as a term and market is muddled, especially given containers are used by different teams in different contexts. It could mean scanning image repositories for vulnerabilities or exposed secrets, managing credentials for container deployment, or monitoring running containers […]
EDR for Linux: Detection and Response in Linux Environments
The 3 pillars every solution needs to protect critical Linux production environments Despite the steady ascent of Linux to the top of the production stack, security has often been an afterthought. That’s right—the OS that runs 54% of public cloud applications and 68% of servers has been getting short shrift when it comes to security.  […]
Kelly Shortridge - Photo credit: @montaelkins
A Cloudy Forecast for ICS: Recap of S4x20
Photo credit: @montaelkins – Kelly Shortridge Keynote at S4x20 Last week, I keynoted S4x20, the biggest industrial control systems (ICS) security conference in the world, and was able to catch quite a few talks, too. While it took place in sunny Miami Beach, my highlights from the conference suggest a far cloudier outlook. Specifically, there […]
Takeaways from Art into Science
What do you get when you take a security conference and pare back its typical formula of swag-laden vendor tables, high-concept lighting that promises to be “an experience”, bougie parties with LED-lit stemware and a surplus of decibels — not to mention all of the offsec-focused talks? You find a group of dedicated defenders who, […]
Anomaly detection with Google BigQuery ML and Capsule8
Unsupervised Anomaly Detection Using BigQueryML and Capsule8
In a sea of data that contains a tiny speck of evidence of maliciousness somewhere, where do we start? What is the most optimal way to swim through the inconsequential information to get to that small cluster of anomalous spikes? Big data in information security is a complicated problem due to the sheer volume of […]
What is the Linux Auditing System (aka AuditD)?
The Linux Auditing System is a native feature to the Linux kernel that collects certain types of system activity to facilitate incident investigation. In this post, we will cover what it is as well as how people deploy and manage it. We will also discuss its strengths — namely it being offered for the delicious […]
Applying the Linux MITRE ATT&CK Framework with Capsule8
The MITRE ATT&CK™ framework is becoming increasingly adopted as a way to validate detection coverage. If you aren’t yet familiar with it, ATT&CK is an open-source knowledge base of tactics and techniques used by attackers. ATT&CK buckets tactics across the kill chain, from initial access to exfiltration or impact, then lists techniques that facilitate those […]
Our 2020 Security Predictions Clickbait Will Leave You SHOOK!
Prediction lists in the security industry are mostly self-indulgent fan fiction, so we decided to create an anti-meme in response. Rather than spin tall tales about drones using lasers to fire USBs into your servers to exploit side channel vulnerabilities, here are some things that we think will actually happen in 2020 within the magical […]
OOMyPod: Nothin’ To CRI-O-bout
Gather around the fire for a story about the unlikely partnership of bugs that led to a partial container escape. While this is a fairly technical post covering some container and Kubernetes components, we included links throughout if you want to learn about them or need a refresher while reading.   TL;DR Three issues in […]
Don’t Get Kicked Out! A Tale of Rootkits and Other Backdoors
Introduction When it comes to rootkits and other backdoors, everything is on the table. There exists a vulnerability that can be exploited in a system binary to gain root access? There’s a rootkit1 for that. You allow kernel modules? A plethora of nefarious goodies can be part of your system! Your new chip is made […]
The Curious Case of a Kibana Compromise
The sun rose, coffee was guzzled, and fingers clicked away at keys, making it a typical day at Capsule8 HQ – until it wasn’t. As the Capsule8 team deployed one of our toy target instances (one with exploitable software on it for demo purposes), we noticed alerts firing from components which weren’t part of our […]
An Infosec Lens on the 2019 State of DevOps Report: What It Means for Us
Understanding DevOps trends is essential for infosec professionals. Before you angrily close the tab because you are tired of lectures about the need for infosec to work with DevOps, consider whether the idea of a job focused on strategic, innovative work rather than firefighting and gatekeeping is appealing. If so, then these trends matter for […]
HELO, Is It Me You’re Exploiting For?
Another month, another pre-auth RCE in Exim, an open source mail server for Unix systems. This time, it’s CVE-2019-16928, a heap-based buffer overflow reported this weekend. Why it matters: If you heard about the other Exim bug from mid-September, you probably did the smart thing and patched to the latest version (4.92+). Regrettably, this new […]
Major Key Alert: Data Discovery for Red Teams with an ML Tool for Keylogging
With the glut of security vendors who promise to secure to the moon and back on the star-glazed spaceship of Machine Learning (ML) technology, where is the equivalent for red teams? Imagine a scene: an earnest red teamer hunched at their desk, hand under chin, eyes hazy with fatigue as their finger presses the down […]
How Capsule8 Approaches Linux Monitoring
We at Capsule8 have put a lot of thought into our product by thinking about what would make us most mad as hackers if we encountered it while attacking an organization. One difference between Capsule8 and other Linux detection solutions is that our detection happens locally. It’s far less expensive for everyone to do computations […]
Here’s How Capsule8 Protect Helps You Achieve HIPAA Compliance for Your Linux Production Environment
By the end of December 2018, the HHS Office for Civil Rights received notifications that a staggering 13 million healthcare records had been exposed.  Even with strict HIPAA regulations in place to prevent inappropriate access, we still read about attacks on sensitive information almost every day, making it  even more critical that healthcare providers have […]
Exim Remote Code Execution, CVE-2019-15846
(Back) Slasher: RCE Horrors in Exim
Last week, a buffer overflow vuln, deemed CVE-2019-15846, was announced in Exim that allowed remote code execution (RCE) via a trailing backslash, perhaps like a blade-wielding ghost stalking you after being summoned to murder you (it’s never too early for Spooktober vibes). Exim is an open source mail transfer agent shipped with most Linux distros, […]
1 2 3 4 5 6