Container DFIR Data Sources

In response to a question on data sources in EKS investigations -

Scheduler & Controller logs in S3

Here’s an EKS scenario where we’ve collected and parsed out the scheduler etc. logs

No alt text provided for this image

There’s not much in those logs for that particular scenario, but it’s useful to review them side by side with what’s happening inside the container:

No alt text provided for this image

Al and Paul did an analysis for that compromise of what you see in each data-source:

No alt text provided for this image

Generally the most useful data in the scenarios we’ve tested out has been inside the container, but the approach we’re taking is “collect everything whilst it’s still there, then see what you can get out of it”.

The hardest bit is merging all data-sources together and presenting the output side by side in a useful way:

No alt text provided for this image

Memory Analysis of Containers

We’ve open-sourced most of how we do memory in containers now - the code and some example output are at https://github.com/cado-security/varc .

It’s pretty fun to e.g. dump xmrig and see the config files running in memory, and avoids the need to build memory profiles on potentially malicious infrastructure:


No alt text provided for this image
No alt text provided for this image
Eli Markovetski

We assist companies to go global, find relevant business partners & manage new global business opportunities.

2 年

Hi?Christopher, It's very interesting! I will be happy to connect.

回复

要查看或添加评论,请登录

Christopher Doman的更多文章

社区洞察

其他会员也浏览了