README
¶
#+options: ':nil *:t -:t ::t <:t H:3 \n:nil ^:t arch:headline author:t #+options: broken-links:nil c:nil creator:nil d:(not "LOGBOOK") date:t e:t #+options: email:nil f:t inline:t num:nil p:nil pri:nil prop:nil stat:t tags:t #+options: tasks:t tex:t timestamp:t title:t toc:t todo:t |:t #+title: Decepto - Cloud Native Cyber Deception #+author: Daniele Santoro #+email: dsantoro@fbk.eu #+language: en #+select_tags: export #+exclude_tags: noexport #+creator: Emacs 28.1 (Org mode 9.5.4) #+cite_export: Decepto is a system that creates decoys as clones of existing services in a cloud native environment. Given an application graph (sets of micro-services and data-flows across them) Decepto decides the services to clone as decoys and where to deploy them based on optimization metrics such as the availability of resources. As shown in the below picture it runs in a Kubernetes cluster and could use multiple external algorithms to take decisions and perform actions. [[file:artifacts/images/decepto-10k-foot-view.png]] Decepto offers notification and monitoring mechanisms to identify the behaviors of an attacker. By default it targets Kubernetes environments by extending its default API using CRD (Custom Resource Definitions). In more detail it offers the following main features. *Cloning of a generic microservice into a decoy* The ability to clone a microservice at Pod level taking into consideration the resource-aware algorithm directives. The new decoy Pod is instrumented to control alerting and monitoring features. *Isolating communication flows across the application microservices* The ability to programmatically control the communications flows across legitimate microservices and/or decoys. Implementation through activation/deactivation of proper network rules and service discovery entries. *Monitoring the adversaries behaviors* The ability to collect all relevant data in order to identify as much as possible the attackers’ behavior patterns. Collects system-calls, cluster audits, application logs and microservices in/out traffic. *Alerting when a decoy receives unwanted traffic* The ability to discover potential malicious communications and notify them to start other relevant actions. A background process listens in promiscuous mode to the connections to the decoy which should never receive incoming traffic. * Development playground Install Kind with Network Policy support #+begin_src sh kind create cluster --config kind-calico.yaml --name kind-np #+end_src Check cluster Pods, some Pods should be =pending= due to missing CNI #+begin_src sh kubectl get pods -n kube-system #+end_src Install Calico #+begin_src kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/tigera-operator.yaml kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/custom-resources.yaml #+end_src Watch Pods going into =running= state #+begin_src sh watch kubectl get pods -n calico-system #+end_src Remove taints on master to schedule pods on it #+begin_src sh kubectl taint nodes --all node-role.kubernetes.io/control-plane- node-role.kubernetes.io/master- #+end_src Check pods again and check nodes are running #+begin_src sh watch kubectl get pods -n calico-system kubectl get nodes -o wide #+end_src * Build and Install ** Docker Build with #+begin_src sh docker build -t gitlab-registry.fbk.eu/cyber-deception/decepto . #+end_src Push with #+begin_src sh docker push gitlab-registry.fbk.eu/cyber-deception/decepto #+end_src Run with #+begin_src sh docker run --rm -p 5555:5555 --name decepto \ -e PORT=5555 \ -e KUBECONFIG=~/.kube/config \ -e NAMESPACE=default \ -e ALGORITHMNAME=silly \ -e ALGORITHMADDR=127.0.0.1:5000 \ -e ALGORITHMRESCAP=0.3 \ -e LOGLEVEL=info gitlab-registry.fbk.eu/cyber-deception/decepto:latest #+end_src ** Kubernetes Create a namespace for decepto #+begin_src sh kubectl create ns decepto #+end_src Create the CRD #+begin_src sh kubectl create -f artifacts/crds/decepto.fbk.eu_appgraphs.yaml #+end_src Start with #+begin_src sh kubectl apply -f k8s/decepto-rbac.yaml kubectl apply -f k8s/decepto.yaml #+end_src Optionally create a =decoy-placer=, see [[https://gitlab.fbk.eu/cyber-deception/decoy-placer][this project]] for details * License Copyright 2023 Fondazione Bruno Kessler Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License here. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
pkg
|
|
|
apis/decepto/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
|
generated/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
generated/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
generated/clientset/versioned/typed/decepto/v1alpha1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
generated/clientset/versioned/typed/decepto/v1alpha1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
Click to show internal directories.
Click to hide internal directories.