Security & Observability Projects

Kubernetes runtime security, threat detection, incident response, and policy enforcement for cloud-native environments.

01

Runtime Threat Detection with Falco

Real-time threat detection system for Kubernetes using Falco with eBPF driver for kernel-level syscall monitoring. Implements custom detection rules mapped to MITRE ATT&CK framework for container security monitoring and alerting on suspicious activities within 5 seconds of occurrence.

The system monitors syscalls, Kubernetes audit logs, and runtime behaviors to detect malicious activities such as shell spawning in containers, unauthorized network connections, cryptomining processes, and privilege escalation attempts. Integrated with Falcosidekick for multi-channel alerting via Slack webhooks.

Deployed on Kubernetes using Helm charts with eBPF driver configuration for optimal performance. Features 10+ custom detection rules covering execution (T1609), resource hijacking (T1496), and container escapes (T1613) following MITRE ATT&CK Containers Matrix for comprehensive threat coverage.

Key Features

  • Falco deployment with eBPF driver for low-overhead syscall monitoring without kernel modules
  • 10+ custom detection rules mapped to MITRE ATT&CK framework (T1609, T1496, T1613)
  • Real-time detection of spawned shells, suspicious network connections, and cryptomining processes
  • Kubernetes audit log integration for complete API server visibility
  • Falcosidekick integration for alert routing to Slack with severity-based filtering
  • Detection latency under 5 seconds from event occurrence to alert notification
  • Priority-based alert classification (CRITICAL/WARNING/INFO) for incident triage
  • JSON-formatted alert output with container metadata and pod context
  • Helm chart deployment for reproducible installations across clusters
Falco eBPF Kubernetes Helm Falcosidekick Slack API Slack Webhooks Bash Scripting YAML MITRE ATT&CK MITRE D3FEND Kyverno NIST 800-61
Live Demo: Falco Alert Detection
📊 View MITRE ATT&CK Framework Diagram
🐞 FalcoSideKickUI Vulnerabilities
02

Automated Forensics & Quarantine Scripts

Bash automation framework for rapid incident response in Kubernetes environments. Implements forensic data collection and automated pod quarantine workflows, reducing mean time to contain (MTTC) from 30 minutes to 2 minutes through scripted analysis and network isolation.

The forensic-analyze-pod.sh script aggregates logs, running processes, network connections, filesystem changes, and Kubernetes events into comprehensive incident reports. The quarantine-pod.sh script applies deny-all NetworkPolicies for immediate containment while preserving pod state for investigation.

Integrated with security scanning tools including kubesec for pod security audits, Trivy for vulnerability detection, kubectl-sniff for packet capture, and termshark for network traffic analysis. Generates MITRE ATT&CK mapped incident reports with automated technique identification and remediation recommendations.

Key Features

  • forensic-analyze-pod.sh for comprehensive pod state capture and evidence collection
  • quarantine-pod.sh for instant network isolation using Kubernetes NetworkPolicies
  • Integration with kubesec for static YAML security analysis and risk scoring
  • Trivy vulnerability scanning with severity-based reporting and CVE enumeration
  • kubectl-sniff packet capture with automatic tcpdump to termshark workflow
  • Automated incident report generation with timestamps, pod metadata, and evidence artifacts
  • MITRE ATT&CK technique mapping for tactical threat classification
  • kubectl plugin integration (stern for multi-pod logs, k9s for interactive triage)
  • Mean Time to Contain (MTTC) reduction from 30 minutes to 2 minutes
Incident Response ITIL Bash Scripting Kubernetes kubesec Trivy termshark k9s kubectl Kyverno stern
Live Demo: Forensic Analysis & Quarantine
03

Policy Enforcement with Kyverno

Admission controller implementation using Kyverno for proactive security policy enforcement in Kubernetes. Implements Pod Security Standards (PSS) in "restricted" mode to block insecure pod deployments before they reach the cluster, achieving 100% compliance with security baselines across production workloads.

The system validates and mutates pod specifications to enforce security best practices including non-root execution, capability dropping, read-only root filesystems, and mandatory resource limits. Kyverno policies automatically inject security contexts and reject non-compliant configurations at admission time.

Deployed as a Kubernetes admission webhook with ClusterPolicy and Policy custom resources. Features validation rules for blocking root containers, mutation policies for auto-hardening workloads, and audit mode for policy testing before enforcement. Integrated with kubectl and k9s for policy management and compliance reporting.

Key Features

  • Pod Security Standards (PSS) implementation in "restricted" mode for maximum security
  • Validation policies blocking root execution (runAsNonRoot: true enforcement)
  • Mutation policies auto-injecting security contexts with dropped capabilities
  • Mandatory resource limits (CPU/memory) validation to prevent resource exhaustion
  • Read-only root filesystem enforcement for immutable container deployments
  • Privileged container blocking with explicit deny policies
  • HostPath volume restriction for preventing node filesystem access
  • Audit mode for policy testing without enforcement impact
  • 100% production workload compliance with hardened security posture
  • PolicyReport CRDs for compliance monitoring and violation tracking
Kyverno Kubernetes Pod Security Standards Admission Control Policy as Code YAML kubectl Security Context
Live Demo: Kyverno Policy Enforcement
04

Cryptominer Investigation Case Study

Complete incident response workflow for cryptominer detection and remediation following NIST 800-61 framework. Demonstrates end-to-end security operations from detection through post-incident analysis, achieving Mean Time to Detect (MTTD) of 5 seconds, Mean Time to Contain (MTTC) of 2 minutes, and full recovery within 10 minutes.

The investigation utilized Falco for initial detection via "Terminal shell in container" and "High CPU usage" alerts, followed by comprehensive analysis using kubectl describe for resource metrics (95% CPU utilization), Trivy scanning revealing 47 CVEs in compromised image, and termshark packet capture confirming mining pool connectivity on suspicious ports.

Containment achieved through automated NetworkPolicy deny-all application within 2 minutes. Eradication performed via pod deletion and redeployment with verified clean image. Post-mortem analysis documented MITRE ATT&CK techniques (T1609 Container Execution, T1496 Resource Hijacking, T1613 Container Escape) with preventive Kyverno policies implemented to block similar attacks.

Key Features

  • Detection: Falco alerting on spawned shell and anomalous CPU usage (5 second MTTD)
  • Analysis: kubectl describe for resource metrics, Trivy for CVE enumeration (47 vulnerabilities)
  • Analysis: termshark packet capture confirming mining pool connection evidence
  • Containment: Automated NetworkPolicy quarantine script (2 minute MTTC)
  • Eradication: Pod deletion, image cleanup, redeployment with verified artifacts
  • Recovery: Service restoration with clean image deployment (10 minute total recovery)
  • Post-mortem: MITRE ATT&CK technique mapping (T1609, T1496, T1613)
  • Prevention: Kyverno policy implementation blocking vulnerable image patterns
  • Documentation: Complete incident timeline with evidence artifacts and lessons learned
  • NIST 800-61 compliance with preparation, detection, analysis, containment, eradication, recovery phases
Falco kubectl Trivy termshark NetworkPolicy NIST 800-61 MITRE ATT&CK Incident Response Forensics
Live Demo: Cryptominer Investigation Workflow

More Security projects coming soon...