Suppression & Tuning

Overview

Spyderbat is a powerful security tool that leverages Spydertraces to group security alerts (red flags) into scored traces of activity. This documentation page will guide you through the concepts of trace suppression to tune your Spyderbat environment.

Spydertraces

Spydertraces are groups of security alerts that are scored based on the activity they represent. These traces provide a comprehensive view of potentially suspicious activity within your environment and are viewable on the Spyderbat dashboard. From the dashboard, you can investigate each Spydertrace to determine the nature and severity of the activity.

Alert Suppression

Alert suppression in Spyderbat allows you to mark known Spydertrace activities as acceptable. Suppressing a Spydertrace reduces its score to 0 and prevents future traces that match the same activity from showing up in your Dashboards. This helps in reducing noise and focusing on genuinely suspicious activities.

Trace Suppression Policies are the current tool that enables Spydertrace Suppression. Suppression Policies can be generated automatically using the Spyctl CLI and a valid Spydertrace UID.

Example Suppression Policy:

apiVersion: spyderbat/v1
kind: SpyderbatPolicy
metadata:
  name: Trace Suppression Policy for systemd/containerd-shim/sh/python/sh/nc
  type: trace
spec:
  traceSelector:
    matchFields:
      triggerAncestors: systemd/containerd-shim/sh/python/sh/nc
      triggerClass: redflag/proc/command/high_severity/suspicious/nc
  enabled: true
  mode: enforce
  allowedFlags:
  - class: redflag/proc/tmp_exec/high_severity/nc
  - class: redflag/proc/command/high_severity/suspicious/nc
  - class: redflag/proc/suspicious_crud_command/high_severity/cat

This example policy will suppress any Spydertraces triggered via a suspicious nc command with the specific process ancestors of systemd/containerd-shim/sh/python/sh/nc. Within that scope, the policy then specifies what other flags are allowed to be grouped within the trace.

Should additional flags appear outside of the allowed list, the trace would no longer be suppressed and have a new score based on the severity of any new flags.

Methods of Suppressing Spydertraces.

There are two main methods to suppress Spydertraces in Spyderbat:

1. UI-based approach.

2. CLI-based approach.

With either approach, once you implement the suppression rule, any active Spydertraces that match the rule's scope and allowed flags will be immediately suppressed. New Spydertraces that fit these criteria will also be automatically suppressed going forward.

Don’t worry if you don’t know about Suppression Rules yet, we’ll get into it.

1. Using the UI

The UI approach involves 4 simple steps: finding the Spydertrace to suppress, clicking Suppress Trace, creating a suppression rule, and clicking Create.

You can find Spydertraces in three main ways: using Search, Dashboard, or Investigation.

The key part of this process is creating a suppression rule in the UI. Let's go over that first before explaining how to find Spydertraces.

Suppression Rule and Suppression Scope Customization:

Suppression rules allow you to reduce noise in your environment by marking known activity as acceptable, ensuring that your focus only remains on suspicious activities.

By default, suppression rules are applied globally across your environment (org).

To target specific areas and reduce the scope of the suppression, you can customize the rule by adding selectors, such as user, machine, cluster name, container, namespace, or any other available identifiers from the drop-down list available.

After you click "Suppress Trace" for a Spydertrace, this window pops up.

Using selectors allows you to focus the suppression rule on particular components, ensuring that it only applies where necessary.

You can limit the suppression Scope to:

• Specific users to control which individuals the rule affects.

• Particular machines or hosts to contain the suppression to certain hardware.

• A particular cluster for Kubernetes-based environments.

• Specific containers or pods or Namespace to isolate suppression in a containerized setup.

You can also choose the allowed flags as part of Suppression.

Spyderbat allows you to edit the Suppression Rule context and the Suppression Rule Name.

To make the Suppression Rule Context generic add a wildcard (*) to the Trigger Ancestor or the Trigger class as desired. This use of wildcards makes Suppression Rules flexible, allowing you to catch a wider range of patterns and reducing the need for multiple specific rules.

Note: You cannot edit the selectors in the console once the policy has been created, but using Spyctl CLI you can still edit the raw yaml. For simplicity we recommend deleting and recreating the suppression rule if you wish to edit the selectors.

Now that you understand what suppression rules are, let’s look at 3 different ways to find Spydertraces and apply suppression rules using the UI.

a. Searching on Spydertraces:

In the Search section of the Spyderbat UI, you can search for various Kubernetes objects, processes, connections, and Spyderbat-specific entities like Spydertraces.

Suppressed traces refer to Spydertraces that have been intentionally suppressed.

To begin, select Spydertrace, open the query builder, and select the fields you want to query. Use the appropriate operators and time filters to refine your search.

Below, we've used score>40 query for our Search.

Additionally, you can apply filters to the result from the top-left corner to further narrow down and investigate the data that interests you.

Once you’ve found the trace of interest in the search results, select it and click Suppress Trace from the options when prompted. You can also go ahead and Investigate further and then Suppress the trace.

This will open the Create Trace Suppression Rule page, where you can customize the scope and add multiple selectors from the available list.

Refer to the 'Suppression Rule and Suppression Scope Customization' and finally, click Create to apply the rule.

b. Spydertraces Dashboard Card

Spydertraces represent potential security concerns, and by default, the ‘Security’ dashboard category in the Spyderbat UI includes a card dedicated to all security-related aspects, including Spydertraces.

You can view several key dashboard cards, such as:

• Recent Spydertraces with Score > 50: Displays high-priority traces for immediate attention.

• Suppressed Traces: Lists any traces that have been suppressed.

Spydertraces are automatically grouped by their trigger short names for easier review in Dashboard cards. If needed, you can ungroup them to focus on individual traces.

To suppress a specific trace, select it, click Suppress Trace, then customize the scope and settings as described earlier to create the suppression rule. This allows you to refine and manage trace suppression based on your security needs.

With this Suppression rules setting you have decided to reduce noise in your environment by marking known activity as acceptable.

Finally, click Create to finalize the rule. You have successfully suppressed a trace. You can also check it out in the “Suppression Trace” dashboard card for quick review.

You can also create your own Custom Dashboard Card dedicated to your Spydertrace query and suppress the trace from there as desired.

c. Investigation

Another method of suppressing a trace is through the Investigation feature in Spyderbat.

You can start your Kubernetes investigation via Kubernetes Section or Source Section in UI. If you observe a Spydertrace linked to the object that has generated flags, but after review, you determine it is not malicious, In this case, you can also suppress the trace directly from the investigation interface.

Alternatively, you can:

a) Search for a Spydertrace and add it to the investigation.

b) Once added, you can suppress it from the investigation.

c) Customize the scope if needed, apply selectors, and create/apply the suppression rule.

2. CLI-Based Approach

The second method of creating a Suppression trace is using Spyctl CLI.

In the CLI-based approach, you can easily manage Spydertraces using the Spyctl CLI. Here’s a step-by-step guide to help you navigate:

(i) View Spydertraces:

To retrieve a list of Spydertraces, you can use the below command:

$ spyctl get spydertraces

This command will provide summarized information, including the trigger name, count of occurrences, etc for further investigation

If you're specifically interested in Spydertraces with a score above 50, you can add the --score_above option:

$ spyctl get spydertraces --score_above 50 

There are a lot of other filter options that you can provide. Use '$spyctl get spydertraces –help' for more information.

(ii) Get the UID:

Identify the UID of the Spydertrace you want to suppress from the list. The UID uniquely identifies each trace and is necessary for suppression.

(iii) Suppress the Trace:

Once you have the UID, use the following command to suppress the specific Spydertrace.

  spyctl suppress trace TRACE_UID

Replace TRACE_UID with the actual UID of the trace. You can also apply additional options for more control over the suppression policy:

-u, --include-users: Scope the suppression to specific users found in the trace.
-n, --name: Provide an optional name for the suppression policy. If you don’t provide a name, one will be generated automatically.
-y, --yes: Automatically answer "yes" to prompts, making the process non-interactive.

For more details on how to fine-tune your commands, you can always use the --help option: spyctl suppress trace --help

Editing a Suppression Rule/Policy:

You cannot edit the selectors for Suppression Rule in Console, but you can edit the raw YAML for a suppression rule or policy in Spyctl CLI using the following command:

$ spyctl edit trace-suppression-policy <policy_id>

Each suppression rule is linked to a unique policy ID. To find the policy ID, you can use the following command:

$ spyctl get policies --type trace

However, for simplicity, we recommend deleting and recreating the suppression rule if you need to modify the selectors.

Managing Suppression Rules:

There may be cases where you want to delete or disable a suppressed Rule to further stop the traces from being generated.

For example, if the conditions that triggered the suppression are no longer valid or if the trace needs to be re-evaluated due to changes in your security policy. Spyderbat allows you to manage these traces easily.

How to Delete a Suppressed Rule:

UI approach.

To permanently remove a suppression Rule:

• Go to the Suppression Rules section in the Spyderbat Console.

• Find the suppression rule associated with the trace you wish to delete.

• Click on the bin icon next to the suppression rule name.

This will delete the Suppression rule. Deleting a suppressed rule is useful when the trace is no longer relevant to suppress or if you need the activity information in your environment.

CLI Approach:

You can delete the Suppression Rule/policy using Spyctl CLI with the following command:

$ spyctl delete policy <policy_id>

Each suppression rule is associated with a unique policy ID. To find the policy ID, use the command:

$ spyctl get policies

How to Disable a Suppression Rule:

UI approach.

To temporarily disable a suppression rule:

• Go to the Suppression Rules section

• Click on View next to the suppression rule you want to manage.

• Navigate to Rule Settings.

• Locate the Rule Status option.

• Set the status from Enabled to Disabled to turn off the suppression rule.

Disabling a suppression rule is helpful when you want to pause the suppression without permanently deleting the rule, allowing you to enable it later if necessary.

CLI Approach:

$ spyctl edit trace-suppression-policy <policy_id>

Then set the enabled field to false.

apiVersion: spyderbat/v1
kind: SpyderbatPolicy
metadata:
  ...
spec:
  allowedFlags:
    ...
  enabled: False
  ...