Wild Exploits, Missing Logs: Docker Incident Response Without SIEM Visibility
Background: Sometimes, when dealing with incidents, there can be situations where logs are not available—especially in cases involving containers that were downloaded from Docker Hub. For example, if you need to check whether a Docker container was exploited by a well-known exploit or CVE, you may face challenges due to the lack of logs. In such scenarios, it is important to understand the approach needed to prove or disprove exploitation activity.
Approach:
First, obtain the exploit either from version control platforms or by crafting it yourself. Before downloading or using any code, it is mandatory to read and understand the code to check for any hidden threats. Next, deploy the same version of the Docker container that you are running in your production environment.
- Take the exploit
- Access the container’s shell using:
docker exec -it my-running-container bash
- List all files that have been modified or had metadata changed in the last 5 minutes:
find . \( -type f -mmin -5 -o -cmin -5 \)
Run the exploit against the container and wait for 1 minute.
Run the same command again: find . ( -type f -mmin -5 -o -cmin -5 )
Result:
After successful exploitation, depending on the exploit type, some files may be changed or modified. Review the recent changes, perform file forensics to identify any traces, and then examine the container to determine whether to approve or disapprove the findings.