"EKS Forensics & Incident Response" will explore the critical role of Elastic Kubernetes Service (EKS) in incident response and forensic investigations. The presentation will begin by discussing the current threat landscape and the need for organizations to have a well-defined incident response plan in place to mitigate risks effectively. The speaker will then delve into the various phases of incident response, including preparation, identification, containment, eradication, and recovery. The focus will be on how EKS can be leveraged to perform forensics investigations during the identification phase, with an emphasis on the tools and techniques available for gathering data and analyzing events. The talk will also cover the unique challenges associated with conducting forensic investigations in a containerized environment and the strategies for overcoming these challenges. Attendees will learn how EKS can facilitate forensic investigations in containerized environments by providing rich telemetry data, monitoring tools, and analysis capabilities. Finally, the presentation will emphasize the importance of communication and collaboration between security teams and other stakeholders in the organization during an incident. Attendees will leave with a deeper understanding of how EKS can play a vital role in incident response and forensics investigations, and practical strategies for improving their organization's security posture.

1. EKS Forensics &
Incident Response
Cado Security | 1

2. How do you respond to a compromised EKS
Container or Node?
If you’ve identified a potentially compromised container in EKS, there
are two potential ways forward:
● If the container is running on an underlying EC2, then refer to the
suggested steps above for immediate actions.
● If the container is running on Fargate, then collect any data required for
later analysis before subsequently suspending it.

3. What EKS GuardDuty Detections
are there?
https://aws.amazon.com/blogs/security/how-to-use-new-amazon-guardduty-eks-protection-findings/
https://medium.com/@cloud_tips/guide-to-aws-guardduty-findings-in-eks-62babbd7da88

4. CloudTrail Logs
● Shows: API Level Calls
● Usefulness: Low
● Collected by: S3
Amazon S3
Container Investigation Data Sources in AWS?
EKS Audit / Control Plane Logs
● Shows: API Level Calls
● Usefulness: Medium
● Collected by: S3
Amazon EC2 - Hosting EKS/ECS Inside Container - EKS/ECS on Fargate/EC2
Docker Logs
● Logs what containers were started, stopped
● Usefulness: Medium
● Collected by: EC2 Import or Cado Host
Docker Container Filesystems
● Normally overlay2 versioned filesystem
● Contains all the files from all the containers
● Usefulness: High
● Collected by: EC2 EBS (API) or Cado Host (SSM/SSH)
Container Filesystems
● Live filesystem as seen by the container, Memory
● Contains all the files from all the containers
● Usefulness: Very High
● Collected by: Cado Host (ECS Exec/kubectl exec))

5. How do you Acquire an Amazon EKS System
in Cado?

6. What is overlay2?
Overlay2 is the file system you are most likely to see.
It’s also versioned, which helps preserve evidence of attacks.
Separate containers are kept in their own folders:

7. What AWS EKS Logs are Stored in AWS?
It's important to also analyze AWS logs that are generated for EKS systems.
These contain metadata around starting and stopping containers.
Below you can see a view of AWS logs collected in Cado Response:

8. What Resources are available?
kube-forensics allows a cluster administrator to
dump the current state
of a running pod and all its containers so that
security professionals can perform offline forensic
analysis.
We previously published a playbook dedicated to
investigating compromises in EKS environments.
Check out the GitHub repository with sample data
taken from a compromised EKS system, and an
associated talk on how to analyze it.
Community
Resources
Cado Security
Resources

9. What Remediation is available?
https://aws.amazon.com/blogs/security/how-to-investigate-and-take-action-on-security-issues-in-a
mazon-eks-clusters-with-amazon-detective-part-2/

10. Cado Response
Free 14-day trial
Receive unlimited access to
the Cado Response Platform
for 14 days.
www.cadosecurity.com/free-investigation/