登录查看更多内容

Incident Response in Docker, Kubernetes and Amazon EKS Environments

Christopher Doman

Co-Founder/CTO at Cado Security - Cloud Forensics & Incident Response

发布日期: 2021年9月18日

Looking for a weekend DFIR read? We've released a free whitepaper on responding to attacks in Docker, Kubernetes and AWS EKS environments.

You can get the full whitepaper on our website - but a few highlights are below.

Check out the docker logs, typically under /var/lib/containers/*id*/*id-json.log to see records of containers spinning up and down:

There are a bunch of different possible file systems for Docker/Kubernetes - but these days it's most likely going to be overlay2 - which is pretty easy to browse:

For EKS - Amazon stores a ton of information in S3 - if enabled. It's a slightly odd mix of JSON, CSV often compressed into .gz. You can parse and alert/investigate on them.

Narghiza E.

Finance Executive

3 年

another amazing post! Thank you

要查看或添加评论，请登录

Christopher Doman的更多文章

Container DFIR Data Sources

2022年12月11日

Container DFIR Data Sources

In response to a question on data sources in EKS investigations - Scheduler & Controller logs in S3 Here’s an EKS…

1 条评论
Automating Incident Response in AWS with Guard Duty & Lambda

2022年2月4日

Automating Incident Response in AWS with Guard Duty & Lambda

I had a quick play today Automating Investigations in response to AWS GuardDuty Detections. Malware > Guard Duty >…

1 条评论
New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

2022年1月11日

New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

We've released a new playbook! This time specifically on responding to Linux instances compromised by mining malware…
Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

2021年12月11日

Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

Lets do a quick ten minute triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit…

2 条评论
Testing out the new Amazon Inspector Vulnerability Management Tool

2021年12月2日

Testing out the new Amazon Inspector Vulnerability Management Tool

The most interesting security announcement from this week’s #awsreinvent is the new version of Amazon Inspector - a…
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

2021年7月3日

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

We've released a number of tools and information to help DFIR analysts responding to the #REvil / #Kaseya saga this…
Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

2020年5月29日

Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

We’re excited to be releasing our first free product to the security community! Cado Live is a bootable operating…

See all articles

Incident Response in Docker, Kubernetes and Amazon EKS Environments

Christopher Doman

Co-Founder/CTO at Cado Security - Cloud Forensics & Incident Response

Christopher Doman的更多文章

社区洞察

其他会员也浏览了

Ingress Controllers (NGINX, Traefik, HAProxy) – Traffic Routing in Kubernetes

Kubernetes-101: Services

Automated CI/CD Pipeline for Spring Boot Application Deployment and Scaling on AWS EKS with GitLab

What is Kyverno?

Hello world!

Installing Minikube (Local K8S) In 3 Easy Steps

Quick Fix for Location Constraints for S3 CreateBucket API

?? Leveraging FOR Loops in Infra as Code (IaC): A VPC Endpoints Terraform Example

Enhancing Real-Time Notifications with AWS Lambda and Slack

Rewritten Terraform modules up to 0.12.x

Christopher Doman的更多文章

Container DFIR Data Sources

Automating Incident Response in AWS with Guard Duty & Lambda

New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

Testing out the new Amazon Inspector Vulnerability Management Tool

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

社区洞察

其他会员也浏览了

Ingress Controllers (NGINX, Traefik, HAProxy) – Traffic Routing in Kubernetes

Kubernetes-101: Services

Automated CI/CD Pipeline for Spring Boot Application Deployment and Scaling on AWS EKS with GitLab

What is Kyverno?

Hello world!

Installing Minikube (Local K8S) In 3 Easy Steps

Quick Fix for Location Constraints for S3 CreateBucket API

?? Leveraging FOR Loops in Infra as Code (IaC): A VPC Endpoints Terraform Example

Enhancing Real-Time Notifications with AWS Lambda and Slack

Rewritten Terraform modules up to 0.12.x