Incident Response in Docker, Kubernetes and Amazon EKS Environments

Christopher Doman

Co-Founder/CTO at Cado Security - Cloud Forensics & Incident Response

Published Sep 18, 2021

Looking for a weekend DFIR read? We've released a free whitepaper on responding to attacks in Docker, Kubernetes and AWS EKS environments.

You can get the full whitepaper on our website - but a few highlights are below.

Check out the docker logs, typically under /var/lib/containers/*id*/*id-json.log to see records of containers spinning up and down:

There are a bunch of different possible file systems for Docker/Kubernetes - but these days it's most likely going to be overlay2 - which is pretty easy to browse:

For EKS - Amazon stores a ton of information in S3 - if enabled. It's a slightly odd mix of JSON, CSV often compressed into .gz. You can parse and alert/investigate on them.

Narghiza E.

Finance Executive

another amazing post! Thank you

To view or add a comment, sign in

More articles by Christopher Doman

Container DFIR Data Sources

Dec 11, 2022

Container DFIR Data Sources

In response to a question on data sources in EKS investigations - Scheduler & Controller logs in S3 Here’s an EKS…

1 Comment
Automating Incident Response in AWS with Guard Duty & Lambda

Feb 4, 2022

Automating Incident Response in AWS with Guard Duty & Lambda

I had a quick play today Automating Investigations in response to AWS GuardDuty Detections. Malware > Guard Duty >…

1 Comment
New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

Jan 11, 2022

New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

We've released a new playbook! This time specifically on responding to Linux instances compromised by mining malware…
Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

Dec 11, 2021

Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

Lets do a quick ten minute triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit…

2 Comments
Testing out the new Amazon Inspector Vulnerability Management Tool

Dec 2, 2021

Testing out the new Amazon Inspector Vulnerability Management Tool

The most interesting security announcement from this week’s #awsreinvent is the new version of Amazon Inspector - a…
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Jul 3, 2021

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

We've released a number of tools and information to help DFIR analysts responding to the #REvil / #Kaseya saga this…
Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

May 29, 2020

Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

We’re excited to be releasing our first free product to the security community! Cado Live is a bootable operating…

See all articles

Incident Response in Docker, Kubernetes and Amazon EKS Environments

Christopher Doman

Co-Founder/CTO at Cado Security - Cloud Forensics & Incident Response

More articles by Christopher Doman

Insights from the community

Others also viewed

Palette 3.2 Release Highlights

A High-Level Overview of Kubernetes The Hard Way on WSL

Hello world!

Exploring the Latest Kubernetes 1.28 Release

Know about Docker in just 5 Minutes.

Installing Minikube (Local K8S) In 3 Easy Steps

Circuit-Breaker, a nice pattern for microservices

Day34- Working with Services in Kubernetes

🚀 SQL Server VM Monitoring Tip 🚀

Why you need Kubernetes?

Explore topics

More articles by Christopher Doman

Container DFIR Data Sources

Automating Incident Response in AWS with Guard Duty & Lambda

New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

Lets do a Ten Minute Triage of a honeypot Apache Solr box that got popped with the #Log4J / #Log4Shell exploit #CVE-2021-44228

Testing out the new Amazon Inspector Vulnerability Management Tool

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Introducing Cado Live - A Free Tool to Image Compromised Systems to the Cloud

Insights from the community

Others also viewed

Palette 3.2 Release Highlights

A High-Level Overview of Kubernetes The Hard Way on WSL

Hello world!

Exploring the Latest Kubernetes 1.28 Release

Know about Docker in just 5 Minutes.

Installing Minikube (Local K8S) In 3 Easy Steps

Circuit-Breaker, a nice pattern for microservices

Day34- Working with Services in Kubernetes

🚀 SQL Server VM Monitoring Tip 🚀

Why you need Kubernetes?

Explore topics