Introduction​

io_uring is a cutting-edge feature available in the Linux kernel since version 5.1. It revolutionizes input/output (I/O) operations by enabling asynchronous processing. By utilizing shared ring buffers between user space and the kernel, io_uring minimizes system calls and context switches, significantly reducing latency and improving throughput. This makes it ideal for high-performance applications such as databases, web servers, and real-time data processing systems. With support for a wide range of I/O operations and flexible polling mechanisms, io_uring offers unparalleled efficiency and scalability, making it a game-changer in I/O performance optimization.

In this blog post, we will explore how io_uring works, its security implications, and how tools like Kunai can monitor io_uring operations.

In the complex field of incident response, effective training for Security Operations Center (SOC) operators is critical. One of the key challenges in SOC training is providing realistic, data-driven environments that accurately simulate the threats and incidents operators will face. Additionally, detection engineers need reliable and actionable data to create robust detection rules that align with real-world security monitoring systems. However, gathering and analyzing real-world malware samples, which is essential to this process, can be time-consuming and prone to errors when done manually.

MISP is an open-source cyber-threat information sharing platform which has been adopted by many actors of the industry over the last years. Organizations usually use it to exchange information about their own IT security incidents or about their Cyber Threat Intelligence (CTI) activities. Therefore a MISP instance, well connected with other instances, can quickly become a real gold mine containing a massive amount of Indicators of Compromise (IoC). By essence IoC are very specific and can be used to quickly identify compromised systems. In this blog post we are going to detail how to easily use IoC stored in a MISP instance to configure Kunai for real time compromise detection.

This blog post is meant to give an insight of how to use Kunai for detection engineering.

For those who didn't have the opportunity to attend the Kunai workshop at Hack.lu 2023 edition this is a way to catch up on a big part of what we have been doing during this session. For those who actually attended the workshop, you can take a read anyway because the post goes even more into the details, as we were limited in time.

Why Kunai​

Because you guys are ninjas !