Spyderbat Nano Agent
Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ
How does Spyderbat collect data?
Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems. The agent leverages eBPF (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.
Why do I need to install an agent?
Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.
What is the impact of the Spyderbat Nano Agent on the system?
Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.
What operating systems are currently supported?
Spyderbat currently supports the following Linux systems:
| AlmaLinux 9 | x86_64 |
|---|---|
Amazon Linux 2 | x86_64 / ARM64 |
Amazon Linux 2022 | x86_64 / ARM64 |
Amazon Linux 2023 | x86_64 |
Amazon Linux Bottlerocket | x86_64 |
CentOS 7 up to 7.6 (with El Repo LT) | x86_64 |
CentOS 7.6+ (with Kernel 3.10.0-957+) | x86_64 |
CentOS 8 | x86_64 |
Debian 11 | x86_64 |
Flatcar Container Linux (3227.2.1; 3374.2.3) | x86_64 |
Google Container-Optimized OS (GCOS) | x86_64 |
Kali 2021.2 | x86_64 |
RHEL 7.6+ (with Kernel 3.10.0-957+) | x86_64 |
RHEL 8 | x86_64 |
RHEL 9 | x86_64 |
Rocky Linux 8 | x86_64 |
Rocky Linux 9 | x86_64 |
Sangoma 16 (with El Repo LT) | x86_64 |
Ubuntu 18.04. LTS | x86_64 |
Ubuntu 20 Desktop | x86_64 |
Ubuntu 20.04 LTS | x86_64 / ARM64 |
Ubuntu 20.10 | x86_64 |
Ubuntu 22.04 | x86_64 |
What K8s Distributions are currently supported?
Spyderbat Nano Agents can be currently installed on the K8s clusters utilizing the following distributions:
| K8s Distribution | Node Operating System | Container Runtime |
|---|---|---|
EKS | Amazon Linux 2 Bottlerocket | containerd or Docker |
GKE | Ubuntu GCOS | containerd |
Rancher K3s | Ubuntu 20 LTS | containerd or Docker |
MicroK8s | Ubuntu 22 LTS | containerd |
What are the Nano Agent’s network requirements?
Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.
Does the Nano Agent support network proxies?
Yes. If you have a proxy configured and you have Linux environment variables like:
The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.
Is information sent securely from the Nano Agent?
Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.
Does the Nano Agent support systems hosted in AWS?
The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html
How do I start and stop the Nano Agent from the command line?
To start the Nano Agent:
To stop the Nano Agent:
Last updated