The Methods to our Madness: How Capsule8’s Detection Methods Work

One of the best weapons in defending against attackers is speed. The ability to detect an attacker’s attempts as soon as it happens, and in turn shut it down before it takes hold, is the best way to reduce any potential damage. Our detection strategies at Capsule8 are built to look for Indicators of Attack (IOAs) as well as Indicators of Compromise (IOCs) to help our customers detect and protect against exploitations in progress, instead of playing catch up after the fact.

So how do we do this?

We take a look at attack categories, such as those in the MITRE ATT&CK framework, as well as entire vulnerability classes, by detecting the low-level behaviors required for attackers to carry out an exploit or other compromise, which could include an employee making a potentially costly mistake and accidentally jeopardizing security. It’s about knowing how an attacker operates, not just relying on known vulnerabilities or training data.

The types of events the strategies can monitor range from common system operations (such as network connections and program execution) to big red flags like unauthorized privilege escalation. Broadly speaking, Capsule8’s detection methods can be classified into three approaches:

  1. Policy-Based: Capsule8 detects malicious programs executing, whitelists or blacklists network connections, and performs file type monitoring.
  2. Exploitation Artifacts: Capsule8 detects locally and remotely spawning shells, privilege escalation, memory corruption, stack overflows, container escapes, and other exploits. Our experience in offensive research means we know exactly what attackers have to do to attack — and that’s precisely what we monitor.
  3. Local and Host Analysis: Capsule8 can look at kernel payloads, identify privilege escalation, and determine system tampering intended to disable critical security mechanisms.

Additionally, Capsule8’s real-time detection methods range from those implemented at the kernel level all the way up to network level, including:

  1. Kernel-level detection: Capsule8 kernel-level detection methods are designed to detect when kernel functions known to be useful for exploitation are returning directly to userland. In addition, probing code (or “kernel landmines”) are embedded at both the local and host level, and are triggered when access restrictions within the kernel are either bypassed or disabled by malicious actors. An example of this is the detection of SMEP/SMAP privileges being disabled by an attacker.
  2. Userland Detection: Capsule8 userland detection methods consist of policies setting user privileges as well as the bounds of a process stack (e.g. detecting inappropriately large stack sizes).
  3. File System Detection: Capsule8’s file system detection methods regulates the creation of new files, sets file permissions, and enforces file integrity in real-time. This includes detecting unexpected changes to monitored files / directories, or changes made by unexpected programs or users.
  4. Network Detection: Capsule8 offers a comprehensive suite of network detection methods, ranging from policy-based detection for network traffic to more workload-specific monitoring for outbound TCP connections.

If you’d like to see these approaches in action to see Capsule8’s detection methods identifying and responding to an exploit, using Shellshock, download our Capsule8 Technical Primer, “Demonstration of Detection Capabilities in Capsule8 Protect.”