The increasing complexity of cyber attacks requires solutions capable of providing deep and timely visibility at the operating system level, minimising performance impact and preserving the forensic value of collected data.
In this context, eBPF (Extended Berkeley Packet Filter) technology emerges as an innovative tool for the field of Digital Forensics & Incident Response (DFIR), enabling the secure execution of customised programmes directly in the Linux kernel.
This paper explores the potential of eBPF in DFIR, with a focus on two main directions:
- advanced observability by tracking critical activities such as SSH sessions, executed commands and user changes, ensuring completeness and integrity of telemetry;
- proactive defence, through control mechanisms capable of blocking connections to malicious IP addresses, turning the collection of events into a tool for immediate reaction.
The proposed solution integrates forensic readiness aspects (temporal accuracy, integrity and RFC 5424 log format) with operational security features, laying the foundation for a DFIR approach that is faster, more reliable and can be integrated with SOC and SIEM tools.
The results highlight how eBPF can be a strategic technology for the next generation of investigation and response tools, opening up research and development scenarios related to container security, multi-event correlation and Machine Learning applications for kernel-level anomaly detection.
If you wish to learn more, here is the link to our comprehensive study, in Italian language and in english language.
In addition, you can subscribe to the specific mailing list Cyber Studios by Tinexta Defence, to receive updates on upcoming research:
