Dynamic DNS & Falco: detecting unexpected network activity

Harry Perks discusses the use of Falco, an open-source behavioral monitoring tool that leverages system calls, to detect unexpected network activity by writing custom rules. Falco's flexibility allows users to create rules for various activities, including network connections, by utilizing macros to monitor outbound connections and exclude local ones. Challenges arise with dynamic DNS, which can cause hardcoded IP addresses to become obsolete, leading Sysdig's engineering team to introduce new filter checks in version 0.24.0 that allow domain names to be specified instead of IP addresses, ensuring up-to-date resolution and better management of network policies. These enhancements enable users to define trusted domain names, triggering alerts when connections occur outside the specified domains, and integrate with Sysdig Secure to apply rules across specific infrastructure scopes, such as Kubernetes deployments, for tailored network security. The article emphasizes the power of system calls for intrusion detection and encourages users to share their experiences with Falco.