Telemetry to Tactics: Tetragon Through the Lens of the MITRE ATT&CK Framework

Cloud native environments present two fundamental challenges from a security perspective. The first challenge is achieving deep visibility into modern distributed systems where traditional tooling is inadequate. The second challenge is making sense of the vast volume of data once that visibility has been achieved.

Tetragon provides a robust solution for the first challenge with deep visibility into system behavior through eBPF-powered security observability. Tetragon captures granular security-significant data, prying into places out of reach for traditional security tooling. This deep visibility creates a gap that needs to be filled. Security teams now have vast amounts of low-level telemetry—system calls, file accesses, network connections, and process events—all rich with security significance. 

This is where a high-level framework for understanding adversaries becomes invaluable. Rather than drowning in individual system calls or isolated events, the MITRE ATT&CK framework provides a structured lens to interpret this telemetry, allowing us to see the broader picture. This way, a granular event such as “process X in pod Y made system call Z” can now be viewed holistically in the context of the threat and translated into a meaningful insight such as “an attacker is attempting privilege escalation.”

In this blog post, we’ll explore how to use the MITRE ATT&CK framework to transform the deep telemetry from Tetragon into clear, actionable insights about adversary behavior. We’ll also elaborate on how security teams can understand security-significant events in the context of real-world attack patterns and adversary behaviors.

Understanding Tetragon’s Capabilities

Tetragon is the standard for eBPF-based security observability and runtime enforcement and has seen massive adoption by platform and security teams globally. Its eBPF-based architectural approach provides unprecedented visibility into system activity while maintaining minimal performance overhead. Tetragon is being used for a variety of security observability and runtime enforcement use cases, such as generating audit trails for mission-critical applications, implementing file integrity monitoring at scale, high-performance network health monitoring, catching supply chain attacks, advanced threat detection and response, and many more.

In cloud native environments, Tetragon’s superpower lies in correlating these low-level events it collects with cloud native identities, providing context-rich security telemetry that includes pod names, namespaces, and container metadata. Tetragon was built from the ground up to cater to the unique needs of Linux, container, and Kubernetes workloads. 

Tetragon provides our security teams with rich data that connects important network, process, and Kubernetes metadata into a single event record. Getting this combined view of activity allows us to answer questions about network activity on our clusters down to the node, namespace, pod, and container level. Even more, it was quick to set up and has minimal overhead, which is critical at our scale.

Jason Cetina – Staff Security Engineer at GitHub

The MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a comprehensive knowledge base of adversary behavior. For years, the security community has used it to categorize adversary behaviors and document how to defend against them. The framework organizes attack scenarios into three key components:

• Tactics: The “why” – representing adversaries’ technical objectives. 
• Techniques: The “how” – specific methods to achieve tactical goals. Each technique outlines the methods used by threat actors. This includes the privileges required, the preferred platforms, and the detection methods for commands or activities associated with the technique.
• Procedures: The “what” – detailed implementations of techniques.

The ATT&CK Matrix visually organizes tactics, techniques, and procedures into a tabular format for each technology domain – the ecosystem within which an adversary operates (e.g., enterprise, mobile, Industrial Control Systems (ICS)). The tactics are arranged across the rows, and the techniques for each tactic are listed in the column. In the context of cloud native security, the container matrix below highlights  techniques known to target containers and container orchestration systems such as Kubernetes.

Using the MITRE ATT&CK framework offers several benefits. ATT&CK provides a shared vocabulary for communicating about threats and is often used for real-world adversary emulation and red teaming. This helps teams understand adversary behavior, evaluate the effectiveness of existing defenses, identify weaknesses attackers can exploit, and develop better defensive measures against threat actors. As threat actors evolve in their tactics, techniques, and procedures (TTPs), the ATT&CK framework is regularly updated by the ATT&CK community to stay relevant and continue providing actionable intelligence about adversaries and their behaviors.

MITRE ATT&CK Tactics 

This blog will focus on the containers matrix in the context of cloud native security. We’ll review each tactic in the matrix and give some examples of how security teams can use the context the MITRE framework provides to apply Tetragon’s security observability and runtime enforcement mechanisms.  

• Initial Access: Initial access consists of the various techniques an attacker might employ to gain the first entry and compromise the environment. This often happens through exploiting an external facing application or standard services such as SSH. Another common way an attacker can gain an initial entry into an environment is by compromising the supply chain.
  
  Tetragon can detect instances of initial access early before an attacker gains a foothold in the environment. A good example is the XZ Utils vulnerability, which utilizes an upstream dependency in OpenSSH to introduce a sophisticated backdoor that enables an attacker to execute arbitrary code or potentially access environments. This blog post titled “eBPF & Tetragon: Tools for Detecting XZ Utils CVE 2024-3094 Exploit” details how to write a Tetragon tracing policy (defines what situations Tetragon should react to and how) to detect and remediate the XZ Utils CVE 2024-3094 exploit. 

• Execution: Execution consists of techniques that involve adversary-controlled code running on a local or remote system. Execution often leverages techniques from other tactics to achieve a broader objective, such as reconnaissance or data exfiltration. Process execution is the most common indicator of many tactics, including execution.
  
  By default, Tetragon traces all process execution in an environment. Each process execution event emitted by Tetragon captures the binary name and path, parent process information, command-line arguments, current working directory, Kubernetes metadata, and a unique process identifier. Tetragon can monitor all child processes spawned by a specific binary. This child process visibility is particularly useful for detecting malicious behavior like process injection.   

- matchBinaries:
  - operator: "In"
    values:
    - "/usr/sbin/sshd"
    followChildren: true

Tetragon can be configured to filter and focus on security-significant process events. For example, take the monitoring of kubectl exec invocations in a Kubernetes environment; rather than overwhelming security teams with every process execution event, Tetragon can be configured to track these privileged operations. This fine-grained approach provides comprehensive visibility while maintaining a high signal-to-noise ratio.

While Kubernetes audit logs allow tracking executions initiated through kubectl exec, if an attacker comprises a pod and performs actions inside the pod (e.g., running malicious commands, installing packages, escalating privileges, or exfiltrating data), these activities will be invisible in the audit logs. 

• Persistence: Persistence refers to the techniques an adversary can use to maintain access to systems they’ve exploited across restarts, changed credentials, and other interruptions that could cut off their access. Some common ways persistence manifests in cloud native environments include creating and modifying system services, account manipulation, loading malicious kernel modules (T1547.006), rootkits (T1014), and exploiting container management systems like Kubernetes. 

Tetragon file monitoring capabilities can be used to monitor or restrict command execution, execution of executables, and access to potentially sensitive files and directories that deal with authentication and/or authorization. For example, restricting write access to the /temp, /etc/ssh/, e/root/~.ssh/authorized_keys, or /etc/kubernetes directories.  A common way to create persistence in a Kubernetes environment involves creating a hidden static pods – a method where attackers write pod specifications to the /etc/kubernetes/manifests/ directory on kubeadm-bootstrapped clusters, causing Kubelet to automatically launch and manage these pods locally. By specifying a non-existent namespace in the pod specification, these pods stay invisible to the Kubernetes API while running on the node.

In this example below, the Tetragon tracing policy detects attempts to write to the /etc/kubernetes/manifests/ directory. 

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "file-write-etc-kubernetes-manifests"
  options:
  - name: "disable-kprobe-multi"
    value: "1"
  kprobes:
  - call: "security_file_permission"
    syscall: false
    args:
    - index: 0
      type: "file" # (struct file *) used for getting the path
    - index: 1
      type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE
    selectors:
    - matchArgs:      
      - index: 0
        operator: "Prefix"
        values:
        - "/etc/kubernetes/manifests"

Adversaries often insert malicious Kernel modules as rootkits to hide their presence, programs, files, network connections, and other system components. Monitoring Kernel modules helps identify processes that load kernel modules to alter the host system functionality or hide their behavior. Tetragon can detect which process or container is loading or unloading a Kernel module, requesting a feature that triggers the kernel to load a module automatically and whether these loaded kernel modules are signed. 

Below is an excerpt from this tracing policy from the baseline observability library, which monitors kernel module operations. It focuses on two key events: when a kernel module is requested and when it is explicitly loaded. 

spec:
  kprobes:
  - call: "security_kernel_module_request"
    message: "Kernel module requested and is being loaded automatically"
    syscall: false
    return: true
    args:
    - index: 0
      type: "string"
    returnArg:
      index: 0
      type: "int"
  - call: "security_kernel_read_file"
    message: "Kernel module is being loaded"
    # Explicit module loading using file descriptor finit_module() to print module full path
    syscall: false
    return: true
    args:
    - index: 0
      type: "file"
    - index: 1
      type: "int"

Tetragon can also monitor activities in the eBPF subsystem to help detect malicious BPF activity. In this amazing Kubecon talk, “Securing the Superpowers: Who Loaded That EBPF Program?” John Fastabend and Natalia Reka Ivanko demo how Tetragon can be used to monitor what happens in the BPF file system. Security teams can leverage these capabilities individually or collectively to detect and remediate persistence early in an attack lifecycle. 

• Privilege Escalation: Privilege escalation comprises techniques an adversary can use to gain higher-level permissions in an environment. In cloud native environments, this typically presents via three primary vectors: privileged binary execution (sudo/sudo caching abuse, Setuid, and Setgid abuse), privileged system calls (Capset, Setuid, Setgid), and container escapes. Tetragon’s standard process execution observability monitors all privileged binary execution, including sudo invocations and SUID/SGID binaries. The SUID/SGID binaries were originally designed to enable programs to perform privileged tasks, but attackers often abuse them to escalate privileges.

System call monitoring forms a critical layer of detection against privilege escalation. For example, this tetragon tracing policy from the baseline observability policies library monitors the setuid(), setgid(), and capset() system call family, detecting processes attempting to raise privileges by switching their user or group ID to root. 

- call: "__sys_setgid"
    message: "Privileged operation setgid to root"
    syscall: false
    args:
    - index: 0
      type: "int"
    selectors:
    - matchArgs:
      - index: 0
        operator: "Equal"
        values:
        - "0"
      matchActions:
      - action: Post
        rateLimit: "1m"  # Rate limit messages to 1min
  - call: "__sys_setreuid"
    message: "Privileged operation setuid to root"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "int"
    selectors:
    - matchArgs:
      - index: 0
        operator: "Equal"
        values:
        - "0"

• Defense Evasion: Defence evasion involves techniques used to avoid detection and security controls throughout the lifecycle of an attack.  One common way this presents itself in cloud native environments is through various sub-techniques of Indicator Removal (T1070). Adversaries use fileless executions to circumvent file-based detection, avoiding leaving behind artifacts that can trigger security alerts or show up in logs.
  
  Tetragon’s standard process observability can detect memory-based executions. Leveraging the security observability mechanisms Tetragon offers, security teams can detect and prevent sophisticated attempts by adversaries to obscure their presence and activities. In the tracing policy below, the sys_linkat system call is monitored to detect attempts at creating a hard link to the /etc/passwd file. Attackers can use hard links to evade file path-based detection, maintain access to sensitive files, and evade file integrity checks. 

spec:
  kprobes:
  - call: "sys_linkat"
    syscall: true
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "string"
    - index: 2
      type: "int"
    - index: 3
      type: "string"
    - index: 4
      type: "int"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "/etc/passwd"

• Credential Access: Upon compromising an environment, attackers can steal insecurely stored credentials like configuration files, secrets, API tokens, etc., which can be used to compromise the system further. Leveraging some of Tetragon’s capabilities, like file monitoring and process execution, security teams can monitor and mitigate attempts to steal credentials in cloud native environments. Platform-specific best practices also play an essential role in ensuring credentials are safely tucked away from the reach of malicious actors. For Kubernetes, the credential access section of the  Kubernetes threat matrix provides Kubernetes-specific techniques attackers can use to steal cluster credentials.   

• Discovery: Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. Using these techniques, adversaries can observe the environment and orient themselves on the best way to compromise the system. One common way discovery presents itself in cloud native environments is through Network Service Discovery (T1046). Using the network monitoring capabilities Tetragon offers, security teams can detect attempts by attackers to conduct network reconnaissance. Take for example the excerpt from this tracing policy below which tracks UDP socket allocations and datagram traffic on the loopback interface.
  
  This tracing policy monitors socket creation, tracks active connections, and untracks them when freed. Local services communicating via UDP can be discovered unintrusively.

spec:
  kprobes:
  - call: "__cgroup_bpf_run_filter_skb"
    syscall: false
    args:
      - index: 0
        type: sock
      - index: 1
        type: skb
      - index: 2
        type: int
    selectors:
      - matchArgs:
        - index: 1
          operator: "DAddr"
          values:
          - "127.0.0.1/8"
        - index: 1
          operator: "Protocol"
          values:
          - "IPPROTO_UDP"
        matchActions:
        - action: Post
          rateLimit: "5"

• Lateral Movement: Lateral movement involves techniques adversaries use to move across the network and platform boundaries in an environment. Lateral movement often follows an initial compromise of the environment. Container escapes are a common way lateral movement presents itself in cloud native environments. An attacker can break out of the container boundary to access the underlying host and its critical components. Lateral movement through the network also presents another security challenge in cloud native environments. Kubernetes, for example, by default, has no restriction for pod-to-pod communication. Upon compromising a pod, an attacker can leverage this absence of network segmentation controls to laterally move across other pods or break out of the host network namespace. Cilium (a parent project from the same family as Tetragon for providing, securing, and observing network connectivity between cloud native workloads) network policy forms an important line of defense against lateral movement attacks, offering operators the ability to enforce network segmentation controls at the appropriate source or destination. Through Tetragon process execution tracking, system call monitoring, and network monitoring, security teams can detect and contain lateral movements before attackers expand their foothold on the environment

• Impact: Impact is an attacker’s ultimate goal. It consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying, tampering, or exfiltrating data. Hijacking compute resources to mine cryptocurrency is also a common abuse that has been popular lately. The presence of security controls is ultimately meant to prevent malicious actors from achieving an impact on the environment.
  
  In this tracing policy, for example, any attempt by a process to make an outbound TCP connection to a private IP address outside the explicitly listed addresses is reported and blocked, and the offending process is killed, preventing an attacker from exfiltrating data from the environment. 

spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "10.0.0.0/8"
        - "172.16.0.0/12"
        - "192.168.0.0/16"
        - "127.0.0.0/8"
      matchActions:
      - action: Sigkill

Clearing the Path from Telemetry to Tactics

By design, Tetragon generates a vast amount of telemetry. eBPF’s unique vantage point within the kernel ensures virtually everything can be observed. However, in many cases, only a subset of events translate into actionable signals. Which specific system calls should you block? What files or directories should access be restricted? What specific execution patterns would be considered suspicious? These are all the kinds of questions the MITRE ATTA&CK framework brings clarity to. 

Regardless of the team’s size or whether the threat analysis is being done using a Security Information Event Management (SIEM), some key recommendations below can help security and platform teams using Tetragon to move towards threat-informed defense and improve decision-making based on real-world adversary behavior. 

Observability-Driven Environment Baselining

Establishing an accurate baseline behavior profile of your environment and workloads provides a foundation for effective security monitoring. With Tetragon’s granular telemetry, security and platform teams can develop detailed profiles of normal system and workload behavior before implementing preventive security measures. This observability-first approach ensures security policies don’t break essential system functionality.

Mapping to ATT&CK Techniques 

With the baseline behavior established, Tetragon’s detection and enforcement mechanism can then be mapped to specific ATT&CK techniques. This mapping process can be prioritized based on several factors, such as an organization’s threat model identifying the most relevant attack vectors, critical assets, and their potential vulnerabilities – as these often represent primary targets for attackers, historical attack patterns, and industry-specific threats. ATT&CK extensively documents detection and mitigation recommendations for each technique. The relevant Tetragon tracing policies can be derived from these recommendations.

The events generated by Tetragon can form the foundation for creating real-time alerting or enforcement points. The Isovalent enterprise for Tetragon distribution allows these events to be directly logged to SIEM systems such as Splunk to perform advanced threat analysis or piped into other alerting and visualization systems like Prometheus, Grafana, Fluentd, Elasticsearch, and OpenTelemetry.  For organizations looking to harness the full potential of Tetragon while ensuring enterprise-level support and functionality, the Isovalent enterprise for Tetragon distribution offers a hardened, enterprise-grade distribution maintained by the creators of Tetragon. This distribution goes beyond the Tetragon open-source project by offering additional SecOps, governance, analytics, and observability functionality tailored for large-scale, mission-critical deployments. Coupled with 24/7 enterprise support and service level agreements (SLAs), Isovalent ensures that enterprises have continuous access to expert guidance, quick issue resolution, and extended end-of-life (EOL) timelines for stability and longevity. 

Default Observability Policies as a starting point. 

Tetragon provides default tracing policies covering core platform and security use cases. These default observability policies have continued to evolve with the needs of the Tetragon community, catering to a broader range of use cases. A good starting place for many teams is to use these policies as they are or adapt them to their specific needs. There is also a growing number of community-curated examples of tracing policies covering various use cases. They can be found in the Tetragon repository on GitHub.

Defense in Depth 

Defense in depth is a security framework that takes a multi-layered approach for more robust security controls. By having multiple layers of observability and enforcement policies across different stages, malicious actors now have to scale through multiple layers of security controls. For example, if one tracing policy is unable to prevent initial access to the environment, another tracing policy can prevent executions or privilege escalations. Platform and security teams can bolster their defenses and improve their security posture by implementing the defense in depth approach. 

Continuous Security Refinement 

Security strategy effectiveness depends on constant refinement. Regular analysis of detection effectiveness helps identify gaps in coverage and areas where policies might be too restrictive or too permissive. As new threats emerge, security teams should update detection policies and enforcement rules to address these new threats. By integrating the threat intelligence ATT&CK offers with the high-fidelity security observability and enforcement Tetragon provides, security and platform teams can stay up to date against ever-evolving adversaries. Most significantly, continuous improvement of false positive handling lowers alert fatigue and increases detection accuracy.

Conclusion

In a nutshell, Tetragon offers a bridge between the deep telemetry it provides and signals, enabling platform and security teams to navigate the complexities of securing modern cloud environments. By leveraging the MITRE ATT&CK framework platform, teams can use this bridge to turn granular security observability into clear, actionable insights about threats. Tetragon’s security observability and runtime enforcement mechanism can be applied to various techniques in the ATT&CK framework. Here is a brief tabular summary of each tactic and how Tetragon fits into the picture. 

While this blog highlighted some common examples, this is far from an exhaustive list. 

If you’d like to learn more about Isovalent Enterprise for Tetragon, Schedule a demo session with an Isovalent Solution Architect.

If you have questions or feedback, reach out via the Tetragon channel on the Cilium slack. 

• Try Tetragon in a hands-on lab, earn a badge, and progress down the Security Engineer Track. 
• Read more about the Tetragon 1.0 release – benchmarks, early use cases, and core principles behind the project.
• Keep up with the Tetragon community via the monthly community meetings.
• Join the Tetragon channel on the Cilium Slack.