Response Actions

Spyderbat’s Policy Response Actions provide a powerful mechanism for responding to security events and deviations within your environment. These actions allow you to automate responses, enforce security policies, and maintain operational integrity. Response actions fall under two main categories, Agent and Standard.

Categories of Response Actions

1. Agent Response Actions:

   • Purpose: These actions are executed directly on machines where the Spyderbat Nano Agent is installed.

   • Targeted Scope: They allow for machine-specific responses.

   • Examples:

     • Kill a process.

     • Kill a pod.

     • Kill a process tree.

     • Renice a process.

2. Standard Response Actions:

   • Purpose: These actions generate security and operations flags.

   • Insights: They provide visibility into policy violations or anomalies. They serve as alerts that can be further processed by other systems or personnel.

   • Examples:

     • Creating red flags. (Security focused, can trigger Spydertraces)

     • Creating operations flags. (Operations focused, highlight potential problems with infrastructure)

Actions

Response actions are defined within the spec field of policies.

For Example:

apiVersion: spyderbat/v1
kind: SpyderbatPolicy
metadata:
  name: demo-cluster-policy
  type: cluster
spec:
  enabled: true
  mode: audit
  clusterSelector:
    matchFields:
      name: demo-cluster
  rulesets:
  - demo-cluster_ruleset
  response:
    default:
    - makeRedFlag:
        severity: high
    actions:
    - agentKillProcess:
        processSelector:
          matchFields:
            exe: /bin/bash

• The default section contains global actions that apply to the entire policy. Whenever a deviation occurs, default actions are taken if applicable.

• The actions section allows you to define more specific actions with selectors that narrow the scope of when the action should be executed.

makeRedFlag Action

This action makes a security flag. The ultimate consumer of these types of flags are security personnel investigating an anomaly. They can trigger spydertraces and/or be used to trigger notifications.

Fields

• severity: The priority level of the red flag. Can be critical, high, medium, low, or info.

• impact: [Optional] A string describing the security impact should the flag be generated.

• content: [Optional] A string containing markdown that can detail next steps or who to contact.

Example:

response:
    default:
    - makeRedFlag:
        severity: high
    actions:
    - makeRedFlag:
      namespaceSelector:
        kubernetes.io/metadata.name: production
      severity: critical
      impact: Unexpected activity on this critical workload could be malicious and should be investigated immediately.
      content: '### Remediation
      1. Contact developer
      2. Confirm if activity is expected or not
      3. If not, conduct investigation
      '

makeOpsFlag Action

This action makes an operations flag. The ultimate consumer of these types of flags are operations personnel responsible for maintaining infrastructure.

Fields

• severity: The priority level of the operations flag. Can be critical, high, medium, low, or info.

• impact: [Optional] A string describing the operations impact should the flag be generated.

• content: [Optional] A string containing markdown that can detail next steps or who to contact.

Example:

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - makeOpsFlag:
      namespaceSelector:
        kubernetes.io/metadata.name: production
      severity: critical
      impact: This workload appears to be behaving abnormally, operations should investigate.
      content: '### Remediation
      1. Confirm configuration
      2. Deploy fix
      '

agentKillPod

This action tells the Spyderbat Nano Agent to kill a deviant process.

Examples:

Kill pods running deviant netcat processes.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillPod:
        processSelector:
          matchFields:
            name: nc

Kill all pods with deviations

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillPod:
    actions: []

agentKillProcess

This action tells the Spyderbat Nano Agent to kill a deviant process.

Examples:

Kill deviant processes running the /bin/bash executable.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillProcess:
        processSelector:
          matchFields:
            exe: /bin/bash

Kill all deviant processes

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillProcess:
    actions: []

agentKillProcessGroup

This action kills a process an any other processes within the same process group (pgid).

Examples:

Kill process group of deviant processes running the /bin/bash executable.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillProcessGroup:
        processSelector:
          matchFields:
            exe: /bin/bash

Kill all deviant processes and their associated groups.

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillProcessGroup:
    actions: []

agentKillProcessTree

This action instructs the Spyderbat Nano Agent to kill a deviant process along with its descendants (child processes). It is used to terminate a process tree, ensuring that both the specified parent process and all its child processes are killed.

Examples:

Kill a deviant process and all its descendants:

This example demonstrates how to use the agentKillProcessTree action to kill a deviant process along with its child processes. In this case, the process to be killed is the one running /bin/bash, and all descendant processes are also terminated.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillProcessTree:
        processSelector:
          matchFields:
            exe: /bin/bash

Kill all deviant processes and their descendants:

This configuration will kill all deviant processes and their child processes without specifying any selectors.

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillProcessTree:
    actions: []

agentReniceProcess

This action allows the Spyderbat Nano Agent to adjust the priority of deviant processes by "renicing" them. The process's priority (or "nice value") can be changed to either increase or decrease its CPU scheduling priority.

Priority Range: The priority value is an string that specifies the new priority (or "nice value") for the process. The valid range for priority is -20 to 19, where:

• -20 is the highest priority (more CPU time),

• 19 is the lowest priority (less CPU time).

Note: The default nice value for a process in Linux is 0.

Examples:

Renice a deviant process by changing its priority:

To adjust the priority of a specific deviant process, use the agentReniceProcess action. In this example, the priority of a deviant process running the /bin/bash executable is set to 20, which is a lower priority.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentReniceProcess:
        priority: "20"
        processSelector:
          matchFields:
            exe: /bin/bash

Renice a specific process by name:

This example shows how to renice a process running the ping command. The priority is set to -1.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentReniceProcess:
        priority: "-1"
        processSelector:
          name:
            - ping

Renice all deviant processes:

To renice all deviant processes to a specific priority you can configure the action as follows:

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentReniceProcess:
        priority: "10"
    actions: []

Related Pages

• Selectors - Reference documentation on the various selector types.

• Policies - The policies that use response actions.