Deceptive Docker Container

Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.

Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.

Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.

Engage Goals: EGO0001 Expose, EGO0003 Elicit

Engage Approach: EAP0001 Collect, EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Deceptive Docker Container

Description of Element:

Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.

Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.

Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.

Technical Context:

This element can be combined with other deceptive elements, such as deceptive configuration files or fake network services, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1005 (Data from Local System).

Other:

This element requires careful planning and execution to ensure that it does not interfere with the normal operation of the Docker environment.

Leave a Reply