CSI_Container.pdf

《CSI_Container.pdf》由会员分享，可在线阅读，更多相关《CSI_Container.pdf（33页珍藏版）》请在三个皮匠报告上搜索。

1、Alberto Pellitteri Security ResearcherCSI Container:Can You DFIR It?Stefano ChiericiThreat Research Lead Manager#WhoAreWe?Alberto Pellitteri Security Researcher Sysdig pellibert1 https:/ Falco Rule Contributor Stefano Chierici Threat Research Lead Manager Sysdig darryk10 https:/ Falco Rule Reviewer

2、and ContributorDFIR=DF+IRNIST IR life-cycleDFIR in containersBest practicesStepsToolsDemoMain TakeawaysDFIR=DF+IRIncident Response(IR)Digital Forensics(DF)DFIR-NIST IR life cycle https:/nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdfDFIR-Prepare your plan!Traditional DFIR-its all

3、about toolsTraditional DFIR Tools-Tools-EDR/XDR-Volatility-RedLine-Websites-Virustotal-Cheatsheets-BooksPretty well known!What about DFIR in containers?Steps,approaches,guidelinesToolsDFIR in containershttps:/ runtime security:Falco+Falcosidekick(CNCF incubated)Log management platform:ELK Stack,Open

4、search,etc Monitoring system:Prometheus(CNCF graduated)Logging solution:Fluent-bit/Fluentd(CNCF graduated)DemoApache HTTP ServerPath traversal and file disclosure vulnerability(CVE-2021-41773)Detection and AnalysisState if it is an attack,if so proceed with CoordinationDetection and Analysis-Fluentb

5、itDetection and Analysis-PrometheusDetection and AnalysisIsolate the attack:Quarantine the impacted pod/containerRemove its privileges,revoke credentials,etc.Ensure reliability and availability to your services.Assess which resources have been impacted.Store the attacks evidences:Snapshot the worker

6、 node volume where the impacted pod/container was scheduled(manually from you cloud provider console or with cloud-forensics-utils)Commit and push the infected container(best option)If possible,checkpoint the containerFix the misconfiguration/vulnerability,if possible.Otherwise mitigate.Containment,