Blog

The Ultimate Guide to Docker & Kubernetes Forensics

Introduction

As organizations continue to migrate their computing resources to cloud and container environments, attackers are right behind them. Virtualization technology has come a long way and has been great for enterprises across the board. However, the dynamic and ephemeral nature of these resources means they grow, shrink and recycle data in a way that makes it almost impossible for security experts to investigate a breach and understand which assets and data have been compromised. Hackers are taking advantage of this.

This guide covers best practices for conducting forensics and incident response of containerized applications running in Docker and Kubernetes so you can efficiently investigate and respond to security incidents that occur in containerized environments.

Building a Container Forensics Incident Response Plan

When building a container forensics incident response plan, there are three main focus areas to consider:

  • Preventative measures
  • Preservation & investigation
  • Planning & testing

Preventative Measures

Preventative measures can help reduce the risk of container compromise:

  • Restrict access to kubectl and the Docker/Kubernetes APIs
  • Ensure Kubernetes and Docker and the containers running within are kept patched and up to date
  • Create an allow-list for inbound and outbound network traffic

Preservation & Investigation

In the event an incident occurs, it is critical to preserve the evidence that’s required to allow for an in-depth investigation:

  • Never destroy the node when compromised! This will make it impossible to identify root cause
  • Determine which evidence you plan to capture and ensure its enough visibility to determine root cause and impact — remember, the more data sources you can analyze, the better your investigation will be
  • Have a plan for how to capture the data you need and test your ability to capture it- given the dynamic and ephemeral nature of containers, automation is key
  • Know how to snapshot the host that contains the containerized disks

Planning & Testing

As always, planning and testing is crucial to ensuring alignment and overall success in the event a major incident occurs:

  • Assign an incident response lead to serve as the primary decision maker during a major incident
  • Determine which parts of the business you need to communicate with in the event a breach occurs
  • Understand what legal and/or customer obligations you have following a major incident
  • Decide what’s considered a high-severity incident, and implement escalation processes and procedures
  • Conduct red team exercises and assessments to continuously improve your security defenses and be best prepared for a real-world data breach

To ensure you are able to efficiently investigate and respond to security incidents that occur in containerized environments, Read the full playbook which covers:

  • Best practices for building a container forensics incident response plan– from prevention to investigation to response
  • How attackers are compromising containerized systems
  • Tips for Investigating compromise in containerized environments including tips for:
    • Analyzing AWS logs generated from EKS systems
    • Acquiring an Amazon EKS system
    • Conducting Kubernetes memory forensics
    • And more…

Ready to start investigating? Take advantage of Cado’s community tools or the full unlimited version of the Cado Response platform via a 14-day free trial.

About Cado Security

Cado Security provides the first and only cloud-native digital forensics platform for enterprises. By automating data capture and processing across cloud and container environments, Cado Response enables security teams to efficiently investigate and respond to cyber incidents at cloud speed. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United Kingdom. For more information, please visit https://www.cadosecurity.com/ or follow us on Twitter @cadosecurity.

[1]According to the Australia Cyber Security Centre (ACSC), between 1 July 2019 and 30 June 2020, the ACSC responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports.