CSI Container: Can You DFIR It? - Alberto Pellitteri & Stefano Chierici, Sysdig
Abstract
Digital Forensics and Incident Response (DFIR) capabilities are crucial to quickly containing the impact of an incident and preventing the cyberattack from becoming a cyber crisis. Indeed, when criminals get into your environment, it is crucial to adopt well defined DFIR techniques in order to minimize the incident impact. However, identifying and containing an incident was challenging enough in virtual machines, now with containerized applications becoming mainstream it is even more difficult. Following a brief introduction to DFIR, outlining its importance, a comparison between the traditional DFIR approach in on-premises infrastructures and the new way to be taken with containers will be presented. This will provide a better understanding of how needs and challenges have changed, particularly from the Kubernetes perspective. In addition, after a practical demonstration, the audience will get a clear picture of the best practices to adopt during the response phase - such as storing the evidence of a compromised pod remotely, highlighting and extracting the filesystem changes, and much more. To close out, it will be discussed how DFIR is evolving in Kubernetes, talking about the latest Kubernetes features and what capabilities they bring to forensics and incident response.