For effective enforcement at runtime, security systems can incorporate generic behaviors based on the premise that attacks tends to exhibit certain common behaviors:
- Suspicious file or network activity
- Abnormal memory usage
- Unauthorized privilege escalation attempts
- Code execution anomalies
By writing protection policies that focus on these generic behaviors, security systems can identify malware (any type) or exploit activity without needing to know the exact exploit in advance (zero day attacks). Figure (1) provides an example of eBPF based detection and policy based containment of a typical cloud workload.
Figure (1) - Attack contained through policy enforcement
We’ll detail how Uptycs’ Blast Radius Mitigation Framework provides robust, immediate protection during such active threat incidents in your cloud workloads.
1. Malware and exploits
Malware and exploit activity pose continuous risks to cloud workloads. Uptycs’ eBPF sensor efficiently detects and contains threats against these key attack types.
- Exploit: Exploits target software vulnerabilities in workloads (e.g., Apache servers). Uptycs uses behavioral analysis and signature-based detection to identify exploit attempts, preventing unauthorized access.
- Privilege Escalation: Attackers escalate privileges to gain higher access (e.g., from user to admin). Uptycs monitors user behavior and access patterns to detect and block these attempts.
- Code Injection: Uptycs detects suspicious code injection activities (e.g., shell injection) that may compromise cloud systems, which are common entry points for attackers.
- Compromised Credentials: Uptycs identifies anomalous login attempts (e.g., unusual locations or invalid credentials) to detect and prevent attackers from leveraging stolen credentials to escalate access.
2. Cryptocurrency Mining
Cryptocurrency mining attacks, where attackers hijack a cloud system’s resources to mine cryptocurrencies, are on the rise. These attacks are often stealthy, using minimal resources until the system is significantly impacted. Uptycs can detect mining activity, such as Coinminer processes that consume abnormal CPU and memory usage patterns. By continuously monitoring cloud workload resource usage, Uptycs identifies when processes attempt to mine cryptocurrency, enabling security teams to act and protect cloud resources from being siphoned for malicious purposes.
3. Network Scanning
Network scanning techniques such as IP Scan and Port Scan are commonly used by attackers to discover vulnerable systems, identify open ports, or facilitate lateral movement within a network.
- IP Scan: This technique is used by attackers to identify active IP addresses within a given range, enabling them to discover potentially vulnerable systems. Uptycs detects IP scanning activity by monitoring network traffic and identifying patterns indicative of scanning attempts.
- Port Scan: Attackers perform port scanning to locate open ports that can be exploited. Uptycs' network monitoring capabilities help detect unauthorized port scanning activities, blocking attackers before they can exploit weaknesses.
These scanning activities are often precursors to larger attacks, such as exploits or ransomware. By detecting behaviors early, Uptycs helps prevent attackers from discovering and exploiting vulnerable cloud systems.
4. Ransomware
Ransomware attacks are highly damaging, as they encrypt valuable files and demand payment for decryption. Uptycs detects ransomware activity by identifying processes that attempt to encrypt files on a system. File encryption is often rapid and widespread, making it a key indicator of ransomware. By monitoring file system changes and process behaviors, Uptycs can detect and block ransomware attacks before they cause irreversible damage to cloud data.
5. Information Stealers
Information stealer attacks, such as Keyloggers and Credential Stealers, are designed to capture sensitive information from compromised systems.
- Keylogger: This type of malware records keystrokes, potentially capturing credentials, financial information, or other sensitive data. Uptycs monitors for unusual processes associated with keylogging activities and alerts security teams to potential breaches.
- Credential Stealer: Attackers use credential stealers to harvest usernames, passwords, and other authentication tokens. Uptycs detects unusual processes that attempt to access authentication systems or network resources without proper authorization, preventing attackers from gaining further access to cloud services.
By detecting information stealers, Uptycs helps prevent data theft and breaches.
6. Web Shells and Reverse Shells
A Web Shell is a script that attackers use to control a compromised web server, often with a remote connection. Reverse Shells allow attackers to remotely execute commands on a compromised system. Uptycs detects both these activities by monitoring for suspicious web traffic and unexpected outbound connections that could indicate the presence of a web shell or reverse shell.
- Web Shell: Uptycs detects signs of web shell activity by analyzing web server logs, looking for suspicious HTTP requests or files that could indicate malicious scripts are running on the server.
- Reverse Shell: Uptycs detects reverse shell activity by monitoring for unexpected outgoing network connections, helping to block unauthorized remote access and limit attacker control over cloud workloads. Figure (2) gives an example of how reverse shell is contained and providing deeper insights into which command line and container image led to this detection.
Figure (2) - Detection attribution to a specific command line and container
7. Fileless Malware
Fileless malware is a type of malware that runs directly in memory, making it harder to detect through traditional file-based antivirus solutions. Uptycs is designed to detect Fileless Malware by monitoring system processes and behaviors rather than relying on file signatures. By analyzing runtime behavior, Uptycs can identify anomalies that suggest the presence of fileless malware, helping to prevent attacks that would otherwise bypass conventional security defenses.
8. Malicious Toolkits
Malicious Toolkits like malware and exploit kits, including those detected by Yara rules, are often used by attackers to launch a variety of malicious activities. Uptycs integrates signature-based detection (e.g., Yara rules) with behavioral analysis to identify malicious toolkits and prevent their execution within cloud workloads.
The Comprehensive Benefit
Having an effective unified enforcement strategy to contain attacks is beneficial for the following reasons. Figure (3) shows an example of how a unified enforcement strategy can help Security Operations drive better efficiency.
- Shared Indicators of Compromise (IoCs):
All these attack types often share similar Indicators of Compromise (IoCs), such as unusual network traffic, unauthorized access attempts, or abnormal system processes. Grouping these attacks together allows security tools to more effectively recognize patterns across multiple vectors. - Comprehensive detection and protection framework:
By combining these attack types, we can improve the efficacy of detection systems that look for signatures or anomalous activity indicative of exploitation. - Faster Incident Response:
Treating these activities under a single policy driven enforcement model enables security teams to respond faster. Rather than spending time distinguishing between different types of attacks, teams can focus on identifying exploit activity, triaging it, and mitigating the threat before it escalates. - Holistic Threat Mitigation:
For example, patch management, which is a common defense against exploit-based attacks, can be prioritized across all types of vulnerabilities—whether they affect a web server or an operating system.
Figure 3 - eBPF based protection policy profiles
After containing threats, the Uptycs Blast Radius Mitigation Framework moves into Root Cause Analysis for deep insights—keep reading to see how each step drives resilient, secure cloud environments.
The Uptycs Blast Radius Mitigation Framework is a five-step journey to cloud security resilience. Read the guide to learn more.
