Scribd Logo
Upload

Welcome to Scribd!

  • ECS Forensics & Incident Response

    Uploaded by

    christopher.d.doman
    4 views7 pages
    This document discusses investigating security incidents involving Amazon ECS container services. It provides an overview of available data sources for investigating ECS containers, including container filesystems, Docker logs, and CloudTrail logs. It also links to documentation on using the Cado Security platform to import and investigate ECS container data, as well as remediating a compromised ECS cluster using AWS GuardDuty. A free 14-day trial of Cado Response is offered to allow testing the platform's ECS investigation capabilities.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses investigating security incidents involving Amazon ECS container services. It provides an overview of available data sources for investigating ECS containers, including container filesystems, Docker logs, and CloudTrail logs. It also links to documentation on using the Cado Security platform to import and investigate ECS container data, as well as remediating a compromised ECS cluster using AWS GuardDuty. A free 14-day trial of Cado Response is offered to allow testing the platform's ECS investigation capabilities.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views7 pages

    ECS Forensics & Incident Response

    Uploaded by

    christopher.d.doman
    This document discusses investigating security incidents involving Amazon ECS container services. It provides an overview of available data sources for investigating ECS containers, including container filesystems, Docker logs, and CloudTrail logs. It also links to documentation on using the Cado Security platform to import and investigate ECS container data, as well as remediating a compromised ECS cluster using AWS GuardDuty. A free 14-day trial of Cado Response is offered to allow testing the platform's ECS investigation capabilities.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    ECS Forensics & Incident

    Response

    Cado Security | 1
    What is ECS?

    https://www.cadosecurity.com/aws-ecs-fully-managed-but-frustrating-to-investigate/
    How does GuardDuty work with ECS?

    https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html
    Container Investigation Data Sources in AWS
    Amazon S3 Amazon EC2 - Hosting EKS/ECS Inside Container - EKS/ECS on Fargate/EC2

    EKS Audit / Control Plane Logs Docker Container Filesystems Container Filesystems
    ● Shows: API Level Calls ● Normally overlay2 versioned filesystem ● Live filesystem as seen by the container, Memory
    ● Usefulness: Medium ● Contains all the files from all the containers ● Contains all the files from all the containers
    ● Collected by: S3 ● Usefulness: High ● Usefulness: Very High
    ● Collected by: EC2 EBS (API) or Cado Host (SSM/SSH) ● Collected by: Cado Host (ECS Exec/kubectl exec))

    CloudTrail Logs Docker Logs


    ● Shows: API Level Calls ● Logs what containers were started, stopped
    ● Usefulness: Low ● Usefulness: Medium
    ● Collected by: S3 ● Collected by: EC2 Import or Cado Host
    How do you Investigate an ECS
    Container in Cado?

    https://docs.cadosecurity.com/cado-response/discovery-import/import/aws/aws-ecs
    How do you Remediate a compromised
    ECS Cluster?

    https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ecs
    Cado Response
    Free 14-day trial
    Receive unlimited access to the
    Cado Response Platform for 14
    days.

    www.cadosecurity.com/free-investigation/

    You might also like