mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,28 @@
|
||||
# Standards and References - Container Drift Detection
|
||||
|
||||
## Industry Standards
|
||||
|
||||
### NIST SP 800-190: Application Container Security Guide
|
||||
- Section 3.3: Containers modified at runtime indicate compromise
|
||||
- Section 4.2: Monitor containers for unauthorized changes
|
||||
- Recommends treating containers as immutable infrastructure
|
||||
|
||||
### CIS Kubernetes Benchmark v1.9
|
||||
- Control 5.2.8: Minimize container readOnlyRootFilesystem
|
||||
- Control 5.7.3: Apply security contexts to pods
|
||||
- Control 5.7.4: Default namespace restrictions
|
||||
|
||||
### MITRE ATT&CK for Containers
|
||||
- T1610: Deploy Container -- unauthorized container deployment
|
||||
- T1611: Escape to Host -- container boundary violation
|
||||
- T1059.004: Unix Shell execution in containers
|
||||
- T1105: Ingress Tool Transfer -- downloading tools into containers
|
||||
|
||||
## Compliance Mapping
|
||||
|
||||
| Requirement | Framework | Drift Detection Capability |
|
||||
|-------------|-----------|--------------------------|
|
||||
| Change detection | PCI DSS 11.5 | File integrity monitoring in containers |
|
||||
| Unauthorized software | SOC 2 CC6.8 | Binary execution drift alerts |
|
||||
| Configuration management | ISO 27001 A.12.1 | Image digest verification |
|
||||
| Incident detection | NIST CSF DE.CM-7 | Runtime behavioral anomaly detection |
|
||||
@@ -0,0 +1,39 @@
|
||||
# Workflows - Container Drift Detection
|
||||
|
||||
## Detection Workflow
|
||||
|
||||
1. Container image deployed with known-good state
|
||||
2. Runtime monitor (Falco/Sysdig) tracks all process executions and file changes
|
||||
3. Events compared against baseline: original image manifest + expected runtime behavior
|
||||
4. Drift events classified by severity (binary drift = HIGH, config drift = MEDIUM)
|
||||
5. Alerts sent to SIEM/SOC with full container context
|
||||
6. Automated response: isolate pod network, capture forensics, evict pod
|
||||
|
||||
## Implementation Phases
|
||||
|
||||
### Phase 1: Visibility (Weeks 1-2)
|
||||
- Deploy Falco with drift detection rules in alert-only mode
|
||||
- Collect baseline of normal container behavior per workload
|
||||
- Identify legitimate runtime changes (log files, temp files, caches)
|
||||
- Create allowlists for expected runtime modifications
|
||||
|
||||
### Phase 2: Detection (Weeks 3-4)
|
||||
- Enable drift detection alerts with tuned thresholds
|
||||
- Integrate with SIEM for correlation and dashboarding
|
||||
- Build runbooks for drift investigation
|
||||
- Conduct tabletop exercises with container drift scenarios
|
||||
|
||||
### Phase 3: Prevention (Weeks 5-8)
|
||||
- Enable readOnlyRootFilesystem on all production workloads
|
||||
- Deploy Pod Security Standards in enforce mode
|
||||
- Implement image digest pinning in all manifests
|
||||
- Enable automated pod eviction for confirmed drift events
|
||||
|
||||
## Incident Response for Drift Events
|
||||
|
||||
1. **Triage**: Is the drift from a legitimate operation or potential compromise?
|
||||
2. **Contain**: Apply NetworkPolicy deny-all to affected pod
|
||||
3. **Collect**: Capture container filesystem diff, process tree, network connections
|
||||
4. **Analyze**: Compare drifted files against malware signatures and IoCs
|
||||
5. **Remediate**: Delete compromised pod, scan all pods in namespace
|
||||
6. **Recover**: Deploy clean image, verify no persistence mechanisms
|
||||
Reference in New Issue
Block a user