How Cado Enables Investigations in Distroless Container Environments

The shift towards adopting distroless containers for enhanced security and efficiency brings new challenges for security teams investigating potential threats within these minimalist environments. Distroless containers, whilst reducing the attack surface and improving performance, present significant visibility challenges due to their lack of standard utilities and monitoring tools. 

What are Distroless Containers?

Distroless containers are a bare-bones version of standard containers that contain only the application and its runtime dependencies. They lack the shell utilities, package managers, and other common binaries found in traditional container operating systems. This minimalist design offers several benefits, including reduced disk usage, faster deployment times, and a smaller attack surface, making them inherently more secure. However, this same minimalism makes it difficult for security teams to investigate and respond to incidents, as the usual tools and logs are not readily available.

The Challenge of Investigating Distroless Containers

The main challenge with distroless containers is their limited visibility and the lack of standard tools for data collection and forensic analysis. Without common utilities and logging capabilities, traditional investigation methods are not sufficient. Security teams need a new approach to effectively manage and investigate incidents in these environments.

How Cado Security Addresses the Challenge

Cado Security has introduced a groundbreaking solution to enable forensic investigations in distroless container environments. Here’s how the Cado platform’s new feature works and why it’s unique:

Novel Data Collection Approach:

Ephemeral Debug Containers: Cado utilizes the Kubernetes API to create ephemeral debug containers that attach to the target container, sharing the same namespace and resources. This allows for the seamless collection of forensic data without impacting the target container’s operations.

Customizable Debug Container Image: The default image used is Debian, but it can be substituted with any compatible image, ensuring flexibility and compatibility with various infrastructures.

Efficient Forensic Evidence Gathering:

Automated Command Execution: Within the debug container, commands are executed to download and run the Cado Host binary. This binary collects essential forensic artifacts, including running processes and key log files, from the target container.

Memory Collection: Cado’s platform leverages the open-sourced “varc” toolset to collect memory from individual processes, enabling detailed forensic analysis.

Immediate Investigation Capabilities:

Centralized Data Presentation: The collected forensic evidence is presented within the Cado platform, allowing security teams to immediately investigate the root cause, scope, and impact of malicious activities.

Patent-Pending Techniques: Cado’s approach to collecting data from distroless containers is unique and patent-pending, ensuring that security teams have access to the most advanced forensic tools available.

Importing Distroless Containers Into Cado

Navigate to Import Section:

Go to ‘Import’ and select ‘Cado Host’.

Choose ‘Kubernetes’ and follow the prompts to acquire the necessary data.

Specify Target Details:

Enter the Pod Name, Pod Namespace, and Target Container details.

Run the Command:

Use the generated command for the Kubernetes API with kubectl.

Execute this command on a system with access to the Kubernetes cluster's control plane.

Data Acquisition:

The command creates an ephemeral debug container and executes commands to download and run the Cado Host binary.

Forensic data is collected and uploaded for analysis.

Analyze the Data:

Access the collected forensic artifacts within the Cado platform.

Perform your investigation to determine the root cause, scope, and impact of any detected malicious activity

If you want to hear more about how Cado can help you perform investigations in your distroless container environments, Contact us to schedule a demo.