SkyShark

The frequency of notable data breaches in cloud native systems has increased over the past several years causing many problems for both large and small organizations. These systems have a very large attack surface associated with the use of many publicly-accessible APIs that can make differentiating between normal and malicious behavior difficult to classify. The nature of managing every aspect of cloud native systems is prone to misconfiguration errors, requiring the setting and auditing of thousands of parameters in enterprise systems. Successful data breaches require bad actors to remain undetected for long periods of time so that data exfiltration does not trigger intrusion protection controls. In this research, we recreate a realistic cloud native environment to emulate a data breach attack using common API misconfiguration mistakes. We then introduce a custom monitoring platform, SkyShark, created to collect system call data from the kernels in a Kubernetes cluster that is used to train machine learning models capable of differentiating normal from suspicious activity during emulated stealthy attacks.