How does Prisma Cloud Compute detect cryptominers?
1796
Created On 09/13/23 06:04 AM - Last Modified 04/16/24 19:39 PM
Question
- How does Prisma Cloud Compute detect cryptominers?
- When does Prisma Cloud prevent and when block them?
Environment
- Prisma Cloud Compute
- Saas / Self-hosted
- Cryptominers
Answer
- Prisma Cloud compute conducts a series of checks on the startup processes, focusing on binary names and their command-line arguments.
- If, at this stage, cryptominer is detected (example: xmrig), the execution is prevented.
- The second way is to check high CPU usage, network activity, and resource consumption. This guides the identification of suspicious candidates for cryptominers.
- In summary, two types of checks are employed: simple checks and behavioral analysis.
- Here is how the container lifecycle works.
- When a container initiates, a simple check is performed on its processes.
- Any undetected anomalies are then subjected to behavioral analysis if flagged as potential threats.
- In the case of an already running container, the new processes are monitored and simple checks are applied as they start
- This approach allows to thwart newly emerging cryptominers. The unidentified processes proceed to behavioral analysis if deemed suspicious.
- With the above procedure Prisma Cloud can consistently prevent cryptominer activity during the initial simple checks because the process hasn't yet commenced.
- Once the process surpasses the simple checks, prevention is no longer possible, as the process is actively running.
- Now behavioral analysis is used which can block or issue alerts.
- Part of our behavioral checks involves tracking instances where a potential cryptominer process forks itself and subsequently terminates.
- Prisma Cloud Compute comprehensively monitor all processes, will generate audit messages.
- Network traffic monitoring is also used in the behavioral analysis.