CSI Forensics: Unraveling Kubernetes Crime Scenes explores container DFIR in Kubernetes environments, emphasizing Kubernetes CSI checkpointing and automation with Falco, Falcosidekick, and Argo. It demonstrates static and dynamic analysis of container checkpoints, including safe storage and sandbox restoration for forensic investigation. #Kubernetes #DFIR #Falco #Falcosidekick #Argo #Checkpointing #CRIU #Perlbot #IRC
Keypoints
- DFIR combines Digital Forensics and Incident Response and requires container-specific tooling.
- Kubernetes checkpointing saves the state of a running container for later analysis.
- Checkpoint automation uses Falco, Falcosidekick, and Argo to trigger checkpoints on malicious activity.
- Static and dynamic analysis can be performed on container checkpoints to investigate attacks.
- Best practices include moving checkpoint archives to secure locations and using the right tools for analysis.
- Dynamic analysis involves restoring checkpoints in isolated environments to monitor malicious behavior.
- Tools used include Wireshark, Sysdig, checkpointctl, and CRIT for deep forensic work.
MITRE Techniques
- [T1071] Initial Access – Use of malicious scripts to connect to Command and Control (C2) servers. “Use of malicious scripts to connect to Command and Control (C2) servers.”
- [T1203] Execution – Execution of malicious Perl-bot scripts within the container. “Execution of malicious Perl-bot scripts within the container.”
- [T1547] Persistence – Malicious processes maintaining connections to C2 servers. “Malicious processes maintaining connections to C2 servers.”
- [T1071] Command and Control – Establishing outbound connections to known malicious IPs. “Establishing outbound connections to known malicious IPs.”
- [T1041] Exfiltration – Sending data back to the attacker through established connections. “Sending data back to the attacker through established connections.”
Indicators of Compromise
- [File name] Checkpoint contents and related artifacts – perlbot.pl, rootfs-diff.tar, checkpoint-_–.tar, and 2 more files
- [File path] Checkpoint archive location on disk – /var/lib/kubelet/checkpoints/checkpoint-_–.tar
- [IP address] Outbound connections to known malicious IPs observed in the scenario – ip1, ip2
Read more: https://sysdig.com/blog/csi-forensics-unraveling-kubernetes-crime-scenes/