Anthropic-Cybersecurity-Skills/skills/detecting-container-drift-at-runtime/references/workflows.md

# Workflows - Container Drift Detection

## Detection Workflow

1. Container image deployed with known-good state
2. Runtime monitor (Falco/Sysdig) tracks all process executions and file changes
3. Events compared against baseline: original image manifest + expected runtime behavior
4. Drift events classified by severity (binary drift = HIGH, config drift = MEDIUM)
5. Alerts sent to SIEM/SOC with full container context
6. Automated response: isolate pod network, capture forensics, evict pod

## Implementation Phases

### Phase 1: Visibility (Weeks 1-2)
- Deploy Falco with drift detection rules in alert-only mode
- Collect baseline of normal container behavior per workload
- Identify legitimate runtime changes (log files, temp files, caches)
- Create allowlists for expected runtime modifications

### Phase 2: Detection (Weeks 3-4)
- Enable drift detection alerts with tuned thresholds
- Integrate with SIEM for correlation and dashboarding
- Build runbooks for drift investigation
- Conduct tabletop exercises with container drift scenarios

### Phase 3: Prevention (Weeks 5-8)
- Enable readOnlyRootFilesystem on all production workloads
- Deploy Pod Security Standards in enforce mode
- Implement image digest pinning in all manifests
- Enable automated pod eviction for confirmed drift events

## Incident Response for Drift Events

1. **Triage**: Is the drift from a legitimate operation or potential compromise?
2. **Contain**: Apply NetworkPolicy deny-all to affected pod
3. **Collect**: Capture container filesystem diff, process tree, network connections
4. **Analyze**: Compare drifted files against malware signatures and IoCs
5. **Remediate**: Delete compromised pod, scan all pods in namespace
6. **Recover**: Deploy clean image, verify no persistence mechanisms