《CSI_Container.pdf》由会员分享,可在线阅读,更多相关《CSI_Container.pdf(33页珍藏版)》请在三个皮匠报告上搜索。
1、Alberto Pellitteri Security ResearcherCSI Container:Can You DFIR It?Stefano ChiericiThreat Research Lead Manager#WhoAreWe?Alberto Pellitteri Security Researcher Sysdig pellibert1 https:/ Falco Rule Contributor Stefano Chierici Threat Research Lead Manager Sysdig darryk10 https:/ Falco Rule Reviewer
2、and ContributorDFIR=DF+IRNIST IR life-cycleDFIR in containersBest practicesStepsToolsDemoMain TakeawaysDFIR=DF+IRIncident Response(IR)Digital Forensics(DF)DFIR-NIST IR life cycle https:/nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdfDFIR-Prepare your plan!Traditional DFIR-its all
3、about toolsTraditional DFIR Tools-Tools-EDR/XDR-Volatility-RedLine-Websites-Virustotal-Cheatsheets-BooksPretty well known!What about DFIR in containers?Steps,approaches,guidelinesToolsDFIR in containershttps:/ runtime security:Falco+Falcosidekick(CNCF incubated)Log management platform:ELK Stack,Open
4、search,etc Monitoring system:Prometheus(CNCF graduated)Logging solution:Fluent-bit/Fluentd(CNCF graduated)DemoApache HTTP ServerPath traversal and file disclosure vulnerability(CVE-2021-41773)Detection and AnalysisState if it is an attack,if so proceed with CoordinationDetection and Analysis-Fluentb
5、itDetection and Analysis-PrometheusDetection and AnalysisIsolate the attack:Quarantine the impacted pod/containerRemove its privileges,revoke credentials,etc.Ensure reliability and availability to your services.Assess which resources have been impacted.Store the attacks evidences:Snapshot the worker
6、 node volume where the impacted pod/container was scheduled(manually from you cloud provider console or with cloud-forensics-utils)Commit and push the infected container(best option)If possible,checkpoint the containerFix the misconfiguration/vulnerability,if possible.Otherwise mitigate.Containment,
7、Eradication,and RecoveryWhat will we use?docker/ctr/crictl/nerdctl/podman:to interact with the involved container enginekubectl:to communicate with the kube-apiserverdocker-explorer/container-explorer(by Google):open source projects that can do offline forensic analysis on a snapshotted volume.conta
8、iner-diff(by Google):is a tool for analyzing and comparing container images.It allows you to detect any changes within an image.cloud-forensics-utils:an open source project that provides tools to be used by forensics teams to collect evidence from cloud platforms.Currently,Google Cloud Platform,Micr
9、osoft Azure,and Amazon Web Services are supported.DemoLets begin isolating the impacted pod.Demoand cordoning the node.Demo-Live approachDirectly interact with the container engineDemo-Live approachDemo-Live approachCommit and push/save the compromised container from the impacted workers node.Live a
10、pproach in K8s-Ephemeral containersIn Kubernetes(v1.25)you can also use ephemeral containers.Ephemeral containers are special type of containers that you can launch into already running pods to troubleshoot/inspect them.Doing so,you can inspect the main containers state and run arbitrary commands.Th
11、ese special containers allow you to view processes in other containers leveraging process namespace sharing.Useful:-If you want to inspect the application state or the attacks evidences within the impacted pod;-If the container to be inspected was run from a distroless image(has no shell or debuggin
12、g tools).Demo-Offline approachPull/import the previously compromised image within the analyzer machine.Demo-Offline approachMount the snapshotted volume to the analyzer machine.Now you can perform forensics on the worker nodes volume,using also container-explorer to analyze the previously running co
13、ntainers.Container Checkpoint-PodmanHow it started:https:/ its going:Eradication-Has the attack spread elsewhere?Before moving on with the next step,make sure that the attack has not spread elsewhere:Check whether the affected pod was designed and deployed with sensitive mounts or excessive privileg
14、es or capabilities.If so,there may have been pod escaping or access to host privileged information.Eradication-Has the attack spread elsewhere?Verify the Kubernetes service account bound to the impacted pod,if any.It may have granted unintended access to other resources in the cluster.Monitor the Ku
15、bernetes audit logs with runtime tools such as Falco,to detect any unwanted actions in the cluster:Creation of new clusterroles/pods in the clusterStealing secretsInspect Cloud logs to monitor any lateral movement attempts.Sometimes impacted pods may leverage cloud metadata to create other cloud res
16、ources,access sensitive data,or cause damage to your cloud infrastructure.Also in this to detect alerts at runtime you can use Falco and its plugins.RecoveryRestore systems to normal and working operations:Fix the vulnerability/misconfiguration,if possible.Apply mitigations if there are no patches:D
17、elete the impacted workloadRestart the containerRun playbook of actions if are detected malicious executions/exploits at run-time.https:/falco.org/blog/Post-Incident Activity-Continuous ImprovementWhen a security breach occurs,every company must embrace it as an opportunity.It can represent a new wa
18、y to protect the resources exposed,adopt new security approaches,and test the environments.Giving it the proper attention,you can stop in time and prevent more disastrous cyber events in the future.Main TakeawaysDo not be caught unprepared!Prepare your incident response plan!Be prepared to respond t
19、o container breaches ASAP!Not all the container breaches are limited to the container itself.There might be more to investigate!Make sure to have set all the logs and to fully monitor your assets.Know your tools and be prepared to use them.Periodically simulate breaches and verify how your team respond to them.Hire/engage outside entities if needed.Thank you!Alberto Pellitteri Security ResearcherTwitter:pellibert1https:/ ChiericiThreat Research Lead ManagerTwitter:darryk https:/