Home » About the Nano Agent

About the Spyderbat Nano Agent

  1. How does Spyderbat collect data?

    Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems.  The agent leverages eBPF (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.

  2. Why do I need to install an agent?

    Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.

  3. What is the impact of the Spyderbat Nano Agent on the system?

    Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.

  4. What systems are currently supported?

    Spyderbat currently supports the following Linux systems:

    AlmaLinux 8.4 x86_64
    AlmaLinux 9 x86_64
    Amazon Linux 2 x86_64 / ARM64
    Amazon Linux 2022 x86_64 / ARM64
    CentOS 7 up to 7.6 (with El Repo LT) x86_64
    CentOS 7.6+ (with Kernel 3.10.0-957+) x86_64
    CentOS 8 x86_64
    Debian 10 x86_64
    Kali 2021.2 x86_64
    RHEL 7.6+ (with Kernel 3.10.0-957+) x86_64
    RHEL 8 x86_64
    RHEL 9 x86_64
    Rocky Linux 8 x86_64
    Rocky Linux 9 x86_64
    Sangoma 16 (with El Repo LT) x86_64
    Ubuntu 18.04. LTS x86_64
    Ubuntu 20 Desktop x86_64
    Ubuntu 20.04 LTS x86_64 / ARM64
    Ubuntu 20.10 x86_64

  5. What are the Nano Agent’s network requirements?

    Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.

  6. Does the Nano Agent support network proxies?

    Yes. If you have a proxy configured and you have Linux environment variables like:

        https_proxy=https://address:port

    The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.

  7. Is information sent securely from the Nano Agent?

    Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.

  8.  Does the Nano Agent support systems hosted in AWS?

    The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html

  9. How do I start and stop the Nano Agent from the command line?

    To start the Nano Agent:

      sudo systemctl stop nano_agent.service

    To stop the Nano Agent:

      sudo systemctl start nano_agent.service

Solutions

Use cases