Anomaly detection with Google BigQuery ML and Capsule8
Unsupervised Anomaly Detection Using BigQueryML and Capsule8
January 16, 2020
In a sea of data that contains a tiny speck of evidence of maliciousness somewhere, where do we start? What is the most optimal way to swim through the inconsequential information to get to that small cluster of anomalous spikes? Big data in information security is a complicated problem due to the sheer volume of […]
What is the Linux Auditing System (aka AuditD)?
January 7, 2020
The Linux Auditing System is a native feature to the Linux kernel that collects certain types of system activity to facilitate incident investigation. In this post, we will cover what it is as well as how people deploy and manage it. We will also discuss its strengths — namely it being offered for the delicious […]
Applying the Linux MITRE ATT&CK Framework with Capsule8
December 18, 2019
The MITRE ATT&CK™ framework is becoming increasingly adopted as a way to validate detection coverage. If you aren’t yet familiar with it, ATT&CK is an open-source knowledge base of tactics and techniques used by attackers. ATT&CK buckets tactics across the kill chain, from initial access to exfiltration or impact, then lists techniques that facilitate those […]
Our 2020 Security Predictions Clickbait Will Leave You SHOOK!
December 12, 2019
Prediction lists in the security industry are mostly self-indulgent fan fiction, so we decided to create an anti-meme in response. Rather than spin tall tales about drones using lasers to fire USBs into your servers to exploit side channel vulnerabilities, here are some things that we think will actually happen in 2020 within the magical […]
OOMyPod: Nothin’ To CRI-O-bout
December 4, 2019
Gather around the fire for a story about the unlikely partnership of bugs that led to a partial container escape. While this is a fairly technical post covering some container and Kubernetes components, we included links throughout if you want to learn about them or need a refresher while reading.   TL;DR Three issues in […]
Don’t Get Kicked Out! A Tale of Rootkits and Other Backdoors
November 14, 2019
Introduction When it comes to rootkits and other backdoors, everything is on the table. There exists a vulnerability that can be exploited in a system binary to gain root access? There’s a rootkit1 for that. You allow kernel modules? A plethora of nefarious goodies can be part of your system! Your new chip is made […]
The Curious Case of a Kibana Compromise
October 31, 2019
The sun rose, coffee was guzzled, and fingers clicked away at keys, making it a typical day at Capsule8 HQ – until it wasn’t. As the Capsule8 team deployed one of our toy target instances (one with exploitable software on it for demo purposes), we noticed alerts firing from components which weren’t part of our […]
An Infosec Lens on the 2019 State of DevOps Report: What It Means for Us
October 28, 2019
Understanding DevOps trends is essential for infosec professionals. Before you angrily close the tab because you are tired of lectures about the need for infosec to work with DevOps, consider whether the idea of a job focused on strategic, innovative work rather than firefighting and gatekeeping is appealing. If so, then these trends matter for […]
CVE-2019-16928
HELO, Is It Me You’re Exploiting For?
October 1, 2019
Another month, another pre-auth RCE in Exim, an open source mail server for Unix systems. This time, it’s CVE-2019-16928, a heap-based buffer overflow reported this weekend. Why it matters: If you heard about the other Exim bug from mid-September, you probably did the smart thing and patched to the latest version (4.92+). Regrettably, this new […]
Major Key Alert: Data Discovery for Red Teams with an ML Tool for Keylogging
September 18, 2019
With the glut of security vendors who promise to secure to the moon and back on the star-glazed spaceship of Machine Learning (ML) technology, where is the equivalent for red teams? Imagine a scene: an earnest red teamer hunched at their desk, hand under chin, eyes hazy with fatigue as their finger presses the down […]
How Capsule8 Approaches Linux Monitoring
September 18, 2019
We at Capsule8 have put a lot of thought into our product by thinking about what would make us most mad as hackers if we encountered it while attacking an organization. One difference between Capsule8 and other Linux detection solutions is that our detection happens locally. It’s far less expensive for everyone to do computations […]
Here’s How Capsule8 Protect Helps You Achieve HIPAA Compliance for Your Linux Production Environment
September 17, 2019
By the end of December 2018, the HHS Office for Civil Rights received notifications that a staggering 13 million healthcare records had been exposed.  Even with strict HIPAA regulations in place to prevent inappropriate access, we still read about attacks on sensitive information almost every day, making it  even more critical that healthcare providers have […]
Exim Remote Code Execution, CVE-2019-15846
(Back) Slasher: RCE Horrors in Exim
September 10, 2019
Last week, a buffer overflow vuln, deemed CVE-2019-15846, was announced in Exim that allowed remote code execution (RCE) via a trailing backslash, perhaps like a blade-wielding ghost stalking you after being summoned to murder you (it’s never too early for Spooktober vibes). Exim is an open source mail transfer agent shipped with most Linux distros, […]
Capsule8 Investigations
Introducing Capsule8 Investigations
August 2, 2019
This week we announced Investigations, new functionality that enables cloud users to maintain a dedicated database just for security data without the cost or burden of having to set up an actual database. In a nutshell, Capsule8 Protect’s Sensors can ship investigations event data as Apache Parquet to Amazon S3 Buckets or Google Cloud Storage. […]
Off to the PTraces
July 17, 2019
Yesterday, a privilege escalation bug in the ptrace syscall was made public by Jann Horn at Project Zero, deemed CVE-2019-13272. The culprit was broken permission and object lifetime handling by the PTRACE_TRACEME request, which basically let Linux processes ask an attacker to “trace me like one of your French girls.” Why it’s cool: This vuln […]
How Security Teams Can Learn to Stop Worrying and Love the OODA Loop
June 25, 2019
A well-loved military operational strategy is the OODA loop, a learning cycle that helps the operator gain an advantage against their opponent by responding with greater agility to unfolding events. While initially outlined by Colonel John Boyd with the fighter pilot user persona in mind, it is not only applicable to cyberwarfare but also remarkably […]
Customer Interview: Looker
June 13, 2019
With over 1700 industry-leading and innovative companies such as Sony, Amazon, IBM, Spotify, Etsy and Lyft trusting Looker’s data platform, Looker takes security seriously.  The Looker Security Operations team, managed by Richard Reinders, is constantly working to ensure they have the best security possible to protect their customers’ production workloads. We sat down with Richard […]
Escaping like a Rocket via rkt enter
June 4, 2019
Last week, a researcher disclosed three vulnerabilities in rkt, CVE-2019-10144, CVE-2019-10145, and CVE-2019-10147, that let an attacker escape the container. Rkt is an open source container runtime created by CoreOS in 2014. Why it’s cool: This vuln trio allows attackers to gain root on the host machine from a rkt pod. rkt up to version […]
Race Conditions – Cloudy with a Chance of R/W Access
May 28, 2019
Docker Race Condition: CVE-2018-15664 Today, Aleksa Sarai published a Docker vulnerability, CVE-2018-15664, on the oss-sec mailing list. It turns out that a function inside Docker facilitates a TOCTOU bug (more on that below) which could lead to someone malicious inside a container to gain arbitrary read/write file access on the host with root privileges (not […]
A Buffer Buffet for Data Sampling
May 15, 2019
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Yesterday, three data sampling side channel vulnerabilities were disclosed in Intel CPUs by a whole bunch of smart researchers. Intel is calling them “microarchitectural data sampling” (MDS) bugs, but they’re colloquially known as ZombieLoad (CVE-2019-1109 & CVE-2018-12130), RIDL aka “Rogue In-flight Data Load” (CVE-2018-12130), and Fallout (CVE-2018-12126) — plus there was […]
Linux Security Fun With Webhooks
May 15, 2019
At Capsule8, we want to let you work the way you prefer working rather than forcing new workflows on you. To realize this philosophy, we designed Capsule8 to be super flexible and let users consume alert data in familiar ways — such as through the use of webhooks. Since REST APIs are the lifeblood of […]
1 2 3 4 5 6