|
|
|
|
|
|
by yjftsjthsd-h
1264 days ago
|
|
|
> Only using privileged containers, or else you don’t have visibility into signal from other containers. The suspect application doesn't need the privileges, so I'm not sure how much of a problem that is? > there’s an important distinction between “you captured a log showing the smoking gun evidence of the supply chain attack”, and “you successfully picked that log out of all of the log data you generated and classified it with high confidence as an attack”. Assuming that you're talking about the signal:noise problem, that's hard in the general case but I feel like you could easily pick off really obvious cases like trying to access private SSH/GPG keys and still get a lot of value. |
|
|
Probably. I’d agree that it’s worth trying at the very least. I’ve run into enough “should be easy” cases that turn out to be not that easy that my default is to get the data and see if the hypothesis really pans out.