Skip to content
Product
Icon-Platform
Platform

Explore the core capabilities of the Cado Platform.

 Icon-Environments
Environments

Discover the broad support that the Cado platform offers.

 Icon-Integrations
Integrations

Learn how the Cado platform integrates into your broader ecosystem.
Solutions
Use Cases
Icon-Cross-Cloud Investigations
Cross Cloud Investigations

Respond to incidents identified in AWS, Azure, and GCP in a single pane of glass.

 Icon-Container-Investigations
Container & K8s Investigations

Perform container investigations in EKS, AKS, GKE, and Kubernetes.

 Icon-Endpoint-Triage
Endpoint Triage

Automate endpoint triage for immediate insights and quick escalation.

 Icon-BEC-Compromise
BEC Investigations

Analyze critical SaaS logs to investigate Business Email Compromise.

 Icon-Incident-Containment
Attack Containment

Perform response actions to prevent incident damage and spread.

 Icon-Incidident-Response Preparedness-II
Incident Response Preparedness

Continuously assess and optimize your incident response program.
Cado For
Enterprise
MSSPs
Partners
Government
Resources
Icon-Blog
Blog

Timely commentary from the Cado Security team.

 Icon-Playbook
Playbooks

Best practices for investigating and responding to threats.

Icon-Report
Reports

Key threat discoveries by the Cado Security Labs team.

 Icon-Cheat-Sheet
Cheat Sheets

Quick tips for investigating and responding to incidents.

 Icon-News
News

The latest Cado company announcements, press, and more.

 Icon-Community
Community

Access to our free edition of the Cado platform.

 Icon-documentation
Documentation

Technical documentation on how to best leverage the Cado platform.

 White Paper 80x80
Wiki

Everything you need to know about cloud security and cloud forensics.

Company
Icon-About
About

Learn more about the Cado Security mission, vision, and team.

 Icon-Careers
Careers

Check out current career opportunities at Cado Security.
Get a Demo
    Get a Demo
      curve design on left cloud image

      AWS EKS Incident Response

      Written by: jbowen@cadosecurity.com

      Organizations have increasingly adopted a container-based and serverless approach to allow for greater efficiency, agility, and cost savings. However, the ephemeral and dynamic nature of such resources makes investigations extremely challenging. 

      This blog covers best practices and useful resources when responding to incidents in AWS EKS. 

      If you’ve identified a potentially compromised container in EKS, there are two potential ways forward: 

      • If the container is running on an underlying EC2, refer to the suggested steps for AWS EC2 incident response.

      • If the container is running on Fargate, then collect any data required for later analysis before subsequently suspending it.

      Community Resources

      kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.

      Official AWS Resources

      AWS provides advice on incident response and forensics in their EKS Best Practices documentation on Github. They also recently released new GuardDuty detections for EKS.

      Cado Security Resources

      At Cado, we published a playbook that covers best practices for investigating compromises in EKS environments. The Ultimate Guide to Docker and Kubernetes Incident Response explores how attackers are compromising containerized systems and best practices for conducting forensics and incident response of containerized applications including how to:

      • Acquire Amazon EKS systems

      • Export disks from Kubernetes containers on Windows with Hyper-V

      • Conduct Kubernetes memory forensics

      • And more…

      In addition, to help security teams gain a better understanding of the types of data sources that can be captured in AWS, we published this GitHub repository that includes sample data taken from a compromised EKS system. We also published an associated talk which covers our own analysis.

      Cado Platform

      The Cado platform expedites incident response in the cloud by automating data capture, processing and analysis of cloud container-based and serverless resources. The Cado platform analyzes compromised EKS systems by automatically capturing:

      • Logs in S3 from the AWS side (e.g. kubernetes authentication).

      • A full copy of a container from within the container itself.

      • A full copy of the underlying EC2 that the container is running on, which also includes a number of logs from the host operating system as well as versioned files from the container due to how the overlay2 filesystem works.


      Example analysis of a compromised AWS EKS System in Cado Response

      Interested in performing your own AWS EKS investigation using the Cado platform? Check out our 14-day free trial.

      Tag(s): Cloud Investigations | Free Resources

      More from the blog

      View All Posts
      Cloud Investigations icon
      blog icon Cloud Investigations
      ECS Fargate Incident Response
      September 7, 2022

      AWS Fargate is a serverless service that provides the option of fully managed and abstracted infrastructure for...

      Continue Reading
      Announcements icon
      blog icon Announcements
      Cado Security Extends Support To Serverless Environments 
      April 5, 2022

      Today we're thrilled to announce that we've extended support to serverless environments! With enhanced visibility and...

      Continue Reading
      blog post icon
      Developers and Attackers are There, You Need to be There too!
      January 24, 2023

      If we consider the main reasons why organizations moved to cloud in the first place, it’s because of the speed, agility and...

      Continue Reading