Core Capabilities (Detection & Blocking)

Jibril, as the engine powering the Garnet Platform, offers a rich set of capabilities for monitoring system behavior, detecting threats, and actively blocking malicious activities. These capabilities are surfaced and managed through the Garnet Platform.

Key capabilities include:

1. Comprehensive System Monitoring & Telemetry

Jibril provides deep visibility into various aspects of a Linux system:

User Activity: Tracks user sessions, privilege escalations (sudo), and user-attributable actions.
Process Activity: Monitors process creation (execve, fork), termination, arguments, parent-child relationships (process ancestry), and inter-process communication signals.
File System Activity: Observes file access (reads, writes), modifications, creations, deletions, permission changes (chmod), and ownership changes (chown) across the file system.
Network Activity: Captures details of network connections (TCP, UDP, ICMP), including:
- Inbound/outbound connections.
- Source and destination IP addresses and ports.
- DNS queries and resolutions.
- This is crucial for detecting malicious network calls like C2 communication or data exfiltration attempts.

2. Advanced Behavioral Detection

Jibril goes beyond simple signature matching by employing behavioral analysis and threat intelligence to identify suspicious activities:

Known Threat Detection: Detects signatures and indicators of known malware, including crypto miners, rootkits, and specific attack tools.
Anomalous Behavior Detection: Identifies deviations from normal or expected behavior, such as:
- Anomalous network connections (e.g., to unexpected geo-locations, known malicious IPs/domains, or using unusual ports/protocols).
- Suspicious process execution chains (e.g., a web server spawning a shell).
- Unauthorized access to sensitive files or directories (e.g., credential files, configuration files).
- Privilege escalation attempts.
- Tampering with system binaries or critical configuration files.
Rule-Based Detections: Utilizes a comprehensive set of built-in detection rules that cover a wide range of tactics, techniques, and procedures (TTPs) used by attackers.
Threat Intelligence Integration: Can leverage threat intelligence feeds (often managed by the Garnet Platform) to identify connections to known malicious infrastructure or use of known bad IOCs (Indicators of Compromise).

3. Active Blocking & Prevention

A key differentiator for Jibril and the Garnet Platform is the ability to actively block detected threats in real-time, not just alert on them. This significantly enhances security posture by preventing attacks from succeeding or limiting their impact.

Policy-Driven Blocking: Blocking actions are typically governed by policies configured within the Garnet Platform.
Types of Blocking Actions (Examples):
- Network Connection Blocking: Prevent outbound connections to malicious IPs/domains (e.g., blocking C2 server communication, connections to crypto mining pools).
- Process Termination: Kill processes identified as malicious (e.g., stopping a crypto miner, terminating a reverse shell).
- File Access Blocking: Potentially prevent unauthorized writes to critical files (depending on policy and capability).
Low-Overhead Implementation: Even with blocking enabled, Jibril is designed to maintain its low performance overhead, making active prevention practical in production.

4. Rich Contextual Information for Alerts

When a detection is made, Jibril (via the Garnet Platform) provides rich contextual information to aid in investigation and response:

Detailed process information (PID, command line, user, parent process).
Full network flow details.
File access specifics.
Process ancestry to understand how a threat originated.

This comprehensive set of capabilities allows the Garnet Platform to provide robust, lifecycle-wide security, from detecting threats in CI/CD pipelines to actively blocking attacks in production environments, with a special focus on critical threats like malicious network activity and crypto miners.

Last updated 17 days ago

1. Comprehensive System Monitoring & Telemetry

Jibril provides deep visibility into various aspects of a Linux system:

User Activity: Tracks user sessions, privilege escalations (sudo), and user-attributable actions.

Process Activity: Monitors process creation (execve, fork), termination, arguments, parent-child relationships (process ancestry), and inter-process communication signals.

File System Activity: Observes file access (reads, writes), modifications, creations, deletions, permission changes (chmod), and ownership changes (chown) across the file system.

Network Activity: Captures details of network connections (TCP, UDP, ICMP), including:

Inbound/outbound connections.
Source and destination IP addresses and ports.
DNS queries and resolutions.
This is crucial for detecting malicious network calls like C2 communication or data exfiltration attempts.

2. Advanced Behavioral Detection

Jibril goes beyond simple signature matching by employing behavioral analysis and threat intelligence to identify suspicious activities:

Known Threat Detection: Detects signatures and indicators of known malware, including crypto miners, rootkits, and specific attack tools.

Anomalous Behavior Detection: Identifies deviations from normal or expected behavior, such as:

Anomalous network connections (e.g., to unexpected geo-locations, known malicious IPs/domains, or using unusual ports/protocols).
Suspicious process execution chains (e.g., a web server spawning a shell).
Unauthorized access to sensitive files or directories (e.g., credential files, configuration files).
Privilege escalation attempts.
Tampering with system binaries or critical configuration files.

Rule-Based Detections: Utilizes a comprehensive set of built-in detection rules that cover a wide range of tactics, techniques, and procedures (TTPs) used by attackers.

Threat Intelligence Integration: Can leverage threat intelligence feeds (often managed by the Garnet Platform) to identify connections to known malicious infrastructure or use of known bad IOCs (Indicators of Compromise).

3. Active Blocking & Prevention

Policy-Driven Blocking: Blocking actions are typically governed by policies configured within the Garnet Platform.

Types of Blocking Actions (Examples):

Network Connection Blocking: Prevent outbound connections to malicious IPs/domains (e.g., blocking C2 server communication, connections to crypto mining pools).
Process Termination: Kill processes identified as malicious (e.g., stopping a crypto miner, terminating a reverse shell).
File Access Blocking: Potentially prevent unauthorized writes to critical files (depending on policy and capability).

Low-Overhead Implementation: Even with blocking enabled, Jibril is designed to maintain its low performance overhead, making active prevention practical in production.

4. Rich Contextual Information for Alerts

When a detection is made, Jibril (via the Garnet Platform) provides rich contextual information to aid in investigation and response:

Detailed process information (PID, command line, user, parent process).

Full network flow details.

File access specifics.

Process ancestry to understand how a threat originated.

(Explore the full list of Jibril's specific detections and a more detailed feature set in the .)