jicowan
commented
3 years ago Don’t panic Don’t exec into the container, alert the attacker that you know Prevention Collection
- logs
- sources: OS, network, container, audit logs, infrastructure
- disk
- create disk snapshot
- docker-explorer, analysis of offline containers, mount file system
- checkpoint, pause
- historical information
- Sysdig Detection Remediation
- Isolate (cordon, network policy)
- Alert
- Pause
- Restart
Incident response plan, know what steps to take, who to contact, how to recover
Describe the best practice Customers want additional information about how to do a forensics investigation involving containers.
This is an evolving space. Performing a forensics against a container is challenging because containers are oftentimes ephemeral; by the time you realize a container has been compromised, the container has been replaced. You can compensate for this by running software that warns of suspicious behavior while the container is running, but additional guidance is necessary to capture evidence of a breach.