Help Center/ Container Guard Service/ Best Practices/ Container Intrusion Response
Updated on 2022-04-01 GMT+08:00

Container Intrusion Response

Container Guard Service (CGS) can detect escapes, high-risk system calls, abnormal processes, abnormal files; and can check the container environment. After the alarm notification function is enabled, you can receive alarm notification emails and SMS messages sent by CGS when it detects abnormal events.

This document describes the emergency response measures during and after a container intrusion.

Context

An increasing number of enterprises are using cloud-native technologies, deploying their applications on containers. However, many containers are exposed to attacks. Containers share resources such as OS kernels and storage. If attackers intrude a container, they can exploit vulnerabilities to escape from the container to attack server OS, breach data, or compromise servers. Therefore, you need to take countermeasures immediately when a container intrusion is detected.

Prerequisites

You have confirmed that the CGS intrusion alarm is true.

Handling a Container Intrusion Emergency

  1. Log in to the management console.
  2. In the upper part of the page, select a region, click , and choose Security & Compliance > Container Guard Service.
  3. In the navigation pane, choose Runtime Security.
  4. Obtain the container instance name and node name of the intrusion program.

    Click a tab (Escapes, High-risk System Calls, Abnormal Programs, Abnormal Files, or Container Environment) according to the alarm information and check the container instance name and node.
    Figure 1 Abnormal event list

  5. Disconnect the container from the Internet.

    For example, use Elastic Load Balance (ELB) to configure an access control policy to allow only specific IP addresses to access the container.

    1. Click and choose Network > Elastic Load Balance.
    2. Find the ELB instance used by the container.
    3. Click the instance name. Click the Listeners tab.
    4. In the Basic Information area, click Configure Access Control.
      Figure 2 Configuring access control
    5. In the Configure Access Control dialog box, add IP addresses to the whitelist.
      • Set Access Policy to Whitelist.
      • Select an IP address group.
      • Enable Access Control.
        Figure 3 Configuring the IP address whitelist
    6. Click OK.

  6. Stop the container.

    For example, remotely log in to the intruded node on the ECS console and stop the container.

    1. In the navigation pane, choose Elastic Cloud Server.
    2. In the Operation column of the intruded node, click Remote Login.

      If the login fails, rectify the fault by referring to What Should I Do If I Cannot Log In to My Linux ECS?

      Figure 4 Remote login
    3. Run the following command to obtain the ID of the container:

      docker ps|grep Container_instance_name

    4. Run the following command to suspend the container:

      docker pause Container_ID

  7. Retain intrusion traces.

    1. Run the following command to export the image:

      docker save ID -o Image_file.tar

    2. (Optional) Run the following command to export the configuration:

      docker inspect ID > Image_file.json

  8. Analyze the attack source.

    1. On another node, import the image that was exported from 7.a. Run the following command:

      docker load - Image_file.tar

    2. Use the imported image to start the new container.

      Run the following command:

      docker run -d -it --name Container_name Image_ID /bin/bash

    3. Contact technical support to query system logs and search for malicious files to locate the intrusion cause and decide emergency response measures.