Capsule8 Docs
Capsule8 Docs
Help

Information Leak Strategies

Information Leak defines a family of strategies containing policies that guard against information gathering and exfiltration. For example, Information Leak can help you discover exfiltration over alternative protocols or audio capture.

How to create an Information Leak Strategy

  • Information Collection: Any exploitation technique attempting to collect information
  • Information Exfiltration: Any exploitation technique attempting to exfiltrate information
  • Generic: Any exploitation technique not falling within the above categories

Policy types

Information Collection

Strategy Description
bpfExec Provides monitoring for attempts to call the BPF subsystem
cloudMetadata Provides lightweight network-level IP-based policy monitoring for TCP connections on the cloud metadata IP 169.254.169.254
ptrace Monitors for usage of system calls that are typically used by debuggers or other process injection tools
spectreMeltdown Monitors for Spectre or Meltdown attacks by monitoring hardware performance counters

Information Exfiltration

Strategy Description
connect Provides network-level IP-based policy monitoring for TCP connections
networkService Monitors newly created network services
sendto Provides network-level IP-based policy monitoring for TCP connections, comparing the destination IP of outbound TCP connections against its configured filters

Default Information Leak Strategies

Strategy Name Strategy Type
Bitcoin Miner connect
Process Manipulation ptrace