Home
A honeycluster consists of the following components:
- lightening (a utility to unleash controlled attack suites)
- lightening-rod (an App that allows to calibrate the patterns and work with the observed signals)
- honey-stack (internals such as log-forwarding, ebpf instrumentation, network and app telemetry collection, baseline/anomaly)
Working with honeyclusters comes in stages
At this stage, you ll likely be working on a controlled env (like kind) and use the in-mem DB (redis) to work on getting all thing configured correctly. The Calibration stack is supposed to help automate or at least provide some UX for debugging your initial setup:
- Choose some attacks you want to test (e.g. one of the two default kubehound-inspired sets, even if they ultimately wont work, they serve as a good starting point).
Where are the attacks?
-> 1a) Platform engineering/debugging : /traces/kubehound-verify/attacks plus the corresponding /traces/kubehound-verify/calibrationtraces
What you find here is mostly to learn if tetragon is the right tool to detect an attack and how you would implement such an attack.
-> 1a) Stand-in for a red-team-tool : /attacks/calibration iterates through standard scenarios and checks if they can be executed. This will become the standard 'lightening'
While you are trying around until the tetragon tracing policies catch and the STIX patterns match,
I extended the Stix visualizer to directly display the matches from Redis. First, you need to load (a subset of all) logs into raw-logs, this is like a staging layer for messing with your detected raw data. Then you select those that are not baseline into active-logs. Any analysis will use the current patterns over the active_logs. Currently, you can choose to either visualize a single detection (single bundle) by using the tetra_bundle table, the first integer in the bundle-name reflects the pattern it matched:
Or, you can ask to find ALL (deduplicated) matches for any single pattern in your entire active dataset. This allows, to write complex patterns (combining many IoCs into an attack tree) and find evidence of matches all across the tree.
There is a Makefile specifically for testing this:
make --makefile=Makefile_calibrate_kubehound calibrate
And whenever you want to reset everything:
make --makefile=Makefile_calibrate_kubehound wipe
While developping and debugging, you ll need a lot of very specific actions on the data-sets you ve produced:
- remove keys from the baseline
- start with a bunch of logs removed from the tetragon logs to bulk-create a new baseline
- add individual keys to the baseline
- remove/add sets of keys for processing
The UI allows only bulk moves, i.e. assumes your tetragon/tracee policies are already working (somewhat at least). So, when you are working on an individual policy, I prefer to directly manipulate the elements in Redis
