Docker Container Escapes - What Actually Works at 3am

When you get that Slack ping at 2am about containers doing weird shit, don't docker kill everything like an idiot. You'll nuke the evidence and learn nothing.

Container escapes happen because Docker's isolation is pretty much theater. Privileged containers with socket access = root on the host. Game over. I've seen this exact scenario four times, and every time it was some developer who mounted /var/run/docker.sock because a Medium article told them to.

Most breakouts aren't sophisticated. They're dumb configuration mistakes that made it past code review. Like that time someone deployed a Jupyter notebook container in privileged mode because matplotlib wouldn't install. Cost us three days and probably some sleep.

The worst part? Docker acts like everything is fine while your container is pwning the host. No warnings, no alerts. Just silent escalation until your Bitcoin mining bill shows up.

Here's what actually works when you're dealing with a potential breakout and your monitoring system is screaming at you:

Incident Classification and Severity Assessment

Oh Shit Indicators (Time to Wake Everyone Up):

## Check for the classic rookie mistakes that give root access
docker ps --filter \"label=privileged=true\" --format \"table {{.Names}}	{{.Image}}	{{.Status}}\"

## This hangs on Docker 24.0.7 and nobody knows why
docker inspect $(docker ps -q) | jq -r '.[] | select(.Mounts[]?.Source == \"/var/run/docker.sock\") | .Name + \" - SOCKET MOUNTED = GAME OVER\"'

## Host network mode = your firewall is now useless
docker ps --filter \"network=host\" --format \"table {{.Names}}	{{.Image}}	{{.Ports}}\"

## See if Docker is spawning weird processes (spoiler: it always is)
ps auxf | grep -E \"(docker|containerd|runc)\" | head -20

Docker has this lovely habit of hanging on the exact command you need most. docker inspect will timeout on the compromised container, guaranteed.

Secondary Indicators (HIGH - Investigate Within 2 Hours):

## Containers with excessive capabilities
docker inspect $(docker ps -q) | jq -r '.[] | select(.HostConfig.CapAdd != null) | .Name + \" - Capabilities: \" + (.HostConfig.CapAdd | join(\",\"))'

## User namespace bypass attempts
docker inspect $(docker ps -q) | jq -r '.[] | select(.HostConfig.UsernsMode == \"host\") | .Name + \" - Host User Namespace\"'

## Containers with writable host mounts
docker inspect $(docker ps -q) | jq -r '.[] | select(.Mounts[]?.RW == true and (.Mounts[]?.Source | startswith(\"/etc\") or startswith(\"/var\") or startswith(\"/usr\"))) | .Name + \" - Writable Host Mount\"'

Immediate Containment Actions

Step 1: Isolate Suspected Containers (Execute in first 5 minutes)

Never immediately stop suspicious containers - you'll lose volatile evidence and running processes. Instead, isolate them:

## Create forensic snapshot before containment
CONTAINER_ID=\"suspicious_container_name\"
docker commit $CONTAINER_ID forensic-snapshot-$(date +%Y%m%d-%H%M%S)

## Isolate container network access (preserves running state)
docker network disconnect bridge $CONTAINER_ID
docker network disconnect $(docker inspect $CONTAINER_ID | jq -r '.[0].NetworkSettings.Networks | keys[]') $CONTAINER_ID 2>/dev/null || true

## Remove dangerous volume mounts (requires container restart - do last)
## docker update --mount-rm /target/dangerous/path $CONTAINER_ID

Step 2: Preserve Evidence State

Critical evidence disappears when containers stop. Capture everything immediately:

#!/bin/bash
## Incident response evidence collection script
INCIDENT_DIR=\"/var/log/docker-incident-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$INCIDENT_DIR\"

## Container runtime state
docker ps -a > \"$INCIDENT_DIR/containers.txt\"
docker images > \"$INCIDENT_DIR/images.txt\"
docker network ls > \"$INCIDENT_DIR/networks.txt\"
docker volume ls > \"$INCIDENT_DIR/volumes.txt\"

## System state at time of incident
ps auxf > \"$INCIDENT_DIR/processes.txt\"
netstat -tulpn > \"$INCIDENT_DIR/network-connections.txt\" 
ss -tulpn > \"$INCIDENT_DIR/socket-connections.txt\"
mount > \"$INCIDENT_DIR/mounts.txt\"

## Docker daemon state
systemctl status docker > \"$INCIDENT_DIR/docker-service.txt\"
journalctl -u docker --since \"1 hour ago\" > \"$INCIDENT_DIR/docker-logs.txt\"

## Memory snapshots of suspicious containers
for container in $(docker ps --filter \"status=running\" --format \"{{.Names}}\"); do
    PID=$(docker inspect --format '{{.State.Pid}}' \"$container\")
    if [[ \"$PID\" != \"0\" ]]; then
        echo \"Capturing memory for container: $container (PID: $PID)\"
        # gcore fails about 30% of the time for no good reason
        if command -v gcore &> /dev/null; then
            timeout 60 gcore -o \"$INCIDENT_DIR/memory-$container\" \"$PID\" 2>/dev/null || echo \"gcore shit the bed again for $container\"
        fi
    fi
done

echo \"Evidence preserved in: $INCIDENT_DIR\"

Step 3: Host System Security Assessment

Container breakouts often target the host system. Check for immediate compromise:

## Check for suspicious processes spawned by container runtime
ps auxf | grep -E \"(docker|containerd|runc)\" | grep -v grep

## Look for processes with unusual parent-child relationships
ps -eo pid,ppid,cmd | awk '$2 == 1 && $3 !~ /(kernel|systemd|init)/ {print \"Suspicious PID 1 child:\", $0}'

## Check for new user accounts (common persistence method)
diff <(cat /etc/passwd) <(docker run --rm -v /etc:/host-etc alpine cat /host-etc/passwd) || echo \"No container access to /etc/passwd\"

## Monitor for privilege escalation attempts
ausearch -m avc,user_chauthtok,user_acct,user_mgmt -ts recent | head -20

## Check systemd for new services (backdoor persistence)
systemctl list-units --type=service --state=running | grep -E \"(docker|container)\" | tail -10

Network Traffic Analysis and Lateral Movement Detection

Container escapes often involve network reconnaissance and lateral movement. Capture network evidence before attackers pivot:

## Active network monitoring
tcpdump -i any -w \"/var/log/incident-network-$(date +%Y%m%d-%H%M%S).pcap\" &
TCPDUMP_PID=$!

## Container network activity
for container in $(docker ps --format \"{{.Names}}\"); do
    echo \"=== Network activity for $container ===\" 
    docker exec \"$container\" ss -tulpn 2>/dev/null || echo \"Cannot access $container network\"
    docker exec \"$container\" netstat -rn 2>/dev/null || echo \"Cannot access $container routing\"
done

## Look for suspicious connections to external IPs
netstat -an | awk '/ESTABLISHED/ && !/127.0.0.1/ && !/::1/ {print \"External connection:\", $0}'

## Check for reverse shells (common escape technique)
lsof -i | grep -E \":4444|:1234|:8080|:9001\" | head -10

## Stop network capture after 5 minutes
sleep 300; kill $TCPDUMP_PID 2>/dev/null

File System Integrity Verification

## Check for unauthorized file modifications in critical directories
find /etc /usr/bin /usr/sbin -type f -mtime -1 | head -20

## Look for new SUID/SGID files (privilege escalation technique)
find / -type f \( -perm -4000 -o -perm -2000 \) -newermt \"1 hour ago\" 2>/dev/null

## Check Docker-specific directories for tampering
find /var/lib/docker -type f -mtime -1 | grep -v \"containers/.*/logs\" | head -10

## Verify container image integrity
docker images --digests | while read repo tag digest rest; do
    if [[ \"$digest\" != \"<none>\" ]] && [[ \"$repo\" != \"REPOSITORY\" ]]; then
        echo \"Verifying: $repo:$tag\"
        # Note: This requires Docker Content Trust or Cosign for verification
        docker trust inspect \"$repo:$tag\" 2>/dev/null || echo \"No signature data for $repo:$tag\"
    fi
done

Communication and Escalation Procedures

CRITICAL: Do not communicate incident details over potentially compromised systems

1. Immediate notification (within 15 minutes):

   • Security Operations Center (SOC) via secure channel
   • Incident Response team lead
   • Infrastructure team on-call engineer

2. Initial incident report should include:

   • Affected container names and images
   • Suspected attack vector (socket mount, privileged mode, capability abuse)
   • Evidence of host system compromise (yes/no/unknown)
   • Current containment status

3. Secure communication channels:

   • Use out-of-band communication (separate network/device)
   • Signal, Telegram, or encrypted messaging apps
   • Phone calls for critical coordination

Documentation Requirements for Legal/Compliance

Container incidents often involve compliance requirements (PCI-DSS, HIPAA, SOX) and potential law enforcement involvement. Enterprise organizations must follow incident response frameworks and breach notification requirements while coordinating with threat intelligence platforms and security operations centers:

## Legal hold evidence preservation
LEGAL_HOLD_DIR=\"/secure/storage/incident-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$LEGAL_HOLD_DIR\"

## Hash all evidence files for integrity verification
find \"$INCIDENT_DIR\" -type f -exec sha256sum {} \; > \"$LEGAL_HOLD_DIR/evidence-hashes.txt\"

## Create incident timeline
echo \"$(date): Container incident detected\" > \"$LEGAL_HOLD_DIR/incident-timeline.txt\"
echo \"$(date): Evidence collection initiated\" >> \"$LEGAL_HOLD_DIR/incident-timeline.txt\"
echo \"$(date): Containment actions implemented\" >> \"$LEGAL_HOLD_DIR/incident-timeline.txt\"

## Copy critical logs with timestamps preserved
cp -p /var/log/audit/audit.log \"$LEGAL_HOLD_DIR/\" 2>/dev/null || echo \"No audit logs available\"
cp -p /var/log/syslog \"$LEGAL_HOLD_DIR/\" 2>/dev/null || echo \"No syslog available\"

Reality Check: Took me 6 hours last time to get a clean memory dump. Docker kept hanging, gcore crashed twice, and the compromised container decided to restart itself for no reason.

What actually happens:

• First hour: Running docker ps obsessively while trying not to panic
• Hour 2: Finding the mounted socket and realizing how fucked you are
• Hours 3-8: Fighting with gcore while it fails on half the containers
• Rest of day 1: Discovering that overlayfs makes everything 10x harder
• Day 2: Actually reading the logs and understanding what went wrong

Guaranteed problems:

• Docker inspect hangs on the exact container you need
• Memory dumps are either corrupted or empty
• Logs are disabled because "it affects performance"
• Your monitoring decides to take a shit right now
• Every forensic tool assumes normal processes, not containers

Next up is forensic analysis, where you find out what evidence you forgot to collect.

Once you figure out which container is the problem (took me 4 hours last time), you get to do forensics on a system designed by sadists. Everything is ephemeral, layered, and breaks when you look at it wrong.

Traditional forensic tools assume files exist in predictable places. Containers decided that was too easy, so everything is scattered across overlay layers that disappear when you sneeze on them. I've lost count of how many times evidence vanished because some automated cleanup script decided to run during my investigation.

Here's what sometimes works when you need to extract evidence:

Container Memory Analysis (When gcore Actually Works)

Memory analysis is great when gcore doesn't crash and Volatility doesn't spend 6 hours analyzing a dump only to shit out Python exceptions. Last incident, I waited overnight for Volatility to process 4GB of memory, woke up to find it had crashed at 87% completion.

When it works, memory dumps are the only way to see what attackers actually did vs what they want you to think they did. Files disappear when containers die, but memory tells the real story. Volatility is still the only game in town, despite crashing more than my first car.

Modern attacks live entirely in memory to avoid filesystem detection. I've seen cryptominers that never touched disk - just allocated memory and went to town. Container memory dumps show namespace fuckery and process injection that you'd never catch otherwise:

## Enhanced memory acquisition for forensic analysis
#!/bin/bash
CONTAINER_NAME=\"$1\"
FORENSIC_DIR=\"/var/forensics/$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$FORENSIC_DIR\"

## Get container process details
CONTAINER_PID=$(docker inspect --format '{{.State.Pid}}' \"$CONTAINER_NAME\")
if [[ \"$CONTAINER_PID\" == \"0\" ]]; then
    echo \"Container not running - using commit for static analysis\"
    docker commit \"$CONTAINER_NAME\" \"forensic-image-$(date +%H%M%S)\"
    exit 1
fi

echo \"Analyzing container: $CONTAINER_NAME (PID: $CONTAINER_PID)\"

## Comprehensive memory dump
gcore -o \"$FORENSIC_DIR/container-memory\" \"$CONTAINER_PID\"

## Process tree analysis 
pstree -p \"$CONTAINER_PID\" > \"$FORENSIC_DIR/process-tree.txt\"
ps --forest -eo pid,ppid,user,cmd | grep -A20 -B5 \"$CONTAINER_PID\" > \"$FORENSIC_DIR/process-context.txt\"

## Memory map analysis
cat \"/proc/$CONTAINER_PID/maps\" > \"$FORENSIC_DIR/memory-maps.txt\"
cat \"/proc/$CONTAINER_PID/smaps\" > \"$FORENSIC_DIR/detailed-memory-maps.txt\"

## Open files and network connections
lsof -p \"$CONTAINER_PID\" > \"$FORENSIC_DIR/open-files.txt\"
ls -la \"/proc/$CONTAINER_PID/fd/\" > \"$FORENSIC_DIR/file-descriptors.txt\"

## Environment and command line
cat \"/proc/$CONTAINER_PID/environ\" | tr '\0' '
' > \"$FORENSIC_DIR/environment.txt\"
cat \"/proc/$CONTAINER_PID/cmdline\" | tr '\0' ' ' > \"$FORENSIC_DIR/command-line.txt\"

## Namespace information
ls -la \"/proc/$CONTAINER_PID/ns/\" > \"$FORENSIC_DIR/namespaces.txt\"

## Control groups
cat \"/proc/$CONTAINER_PID/cgroup\" > \"$FORENSIC_DIR/cgroups.txt\"

echo \"Memory analysis complete in: $FORENSIC_DIR\"

Volatility Analysis (When It Doesn't Crash):

Volatility crashes constantly. I've got a 50/50 success rate with it, and when it fails, the error messages are useless. "Profile not found" - great, which one of the 47 Linux profiles do I need? Budget a full day for what should take 30 minutes.

## This will probably fail with a profile error first
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.info || echo \"Volatility profile issues, try --dtb flag\"

## These might work if you're lucky
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.pslist > \"$FORENSIC_DIR/processes.txt\"
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.pstree > \"$FORENSIC_DIR/process-tree.txt\"

## malfind occasionally finds actual malware
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.malfind > \"$FORENSIC_DIR/malware-indicators.txt\"

## Network connections - pure luck if this works
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.netstat > \"$FORENSIC_DIR/network-stuff.txt\"

## bash history sometimes works, usually doesn't
vol -f \"$FORENSIC_DIR/container-memory.$PID\" linux.bash | grep -E \"(curl|wget|nc|/bin/sh)\" > \"$FORENSIC_DIR/bash-history.txt\" || echo \"Bash history extraction failed again\"

Pro tip: If Volatility3 eats all 32GB of your analysis machine's RAM and still can't finish processing a 4GB dump, that's Tuesday. Kill it and try with a smaller sample. I've had better luck with Volatility 2.6.1 on older kernels, but good luck finding the right profile.

Container Image Layer Analysis and Supply Chain Investigation

Container images are layered filesystems where attackers hide their shit. Each layer is a potential backdoor location. I've found cryptominers buried 5 layers deep in what looked like a legitimate Python base image.

Docker's security model assumes you'll scan every image, configure admission controllers, and keep everything patched. In reality, attackers compromise npm packages, inject backdoors into base images, and hide cryptominers in legitimate-looking dependencies.

Last year we found a backdoored Python package that made it past Snyk, Trivy, and our internal security scanning. It sat dormant for 6 weeks before activating and mining Monero on our production cluster. Cost us 3 days and about $2000 in excess compute costs before we figured out what was happening.

## Comprehensive image forensics
#!/bin/bash
IMAGE_NAME=\"$1\"
ANALYSIS_DIR=\"/var/forensics/image-analysis-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$ANALYSIS_DIR\"

## Export complete image
docker save \"$IMAGE_NAME\" -o \"$ANALYSIS_DIR/image.tar\"

## Extract image manifest and layers
cd \"$ANALYSIS_DIR\"
tar -xf image.tar

## Parse manifest for layer analysis
MANIFEST_FILE=\"manifest.json\"
if [[ -f \"$MANIFEST_FILE\" ]]; then
    # Extract layer information
    jq -r '.[0].Layers[]' \"$MANIFEST_FILE\" > layers.txt
    jq -r '.[0].Config' \"$MANIFEST_FILE\" > config.txt
    
    # Analyze each layer
    layer_num=1
    while read layer_path; do
        echo \"=== Analyzing Layer $layer_num: $layer_path ===\"
        layer_dir=\"layer_$layer_num\"
        mkdir -p \"$layer_dir\"
        tar -tf \"$layer_path\" | head -20 > \"$layer_dir/files.txt\"
        tar -xf \"$layer_path\" -C \"$layer_dir\"
        
        # Look for suspicious files in this layer
        find \"$layer_dir\" -type f \( -name \"*.sh\" -o -name \"cron*\" -o -name \"*history*\" -o -name \"*.service\" \) | head -10 > \"$layer_dir/suspicious-files.txt\"
        
        # Check for SUID/SGID files
        find \"$layer_dir\" -type f \( -perm -4000 -o -perm -2000 \) > \"$layer_dir/privileged-files.txt\"
        
        # Look for hidden files and directories
        find \"$layer_dir\" -name \".*\" -type f > \"$layer_dir/hidden-files.txt\"
        
        ((layer_num++))
    done < layers.txt
fi

## Analyze configuration
CONFIG_DIGEST=$(cat config.txt)
tar -xf \"blobs/sha256/$CONFIG_DIGEST\" && mv \"$CONFIG_DIGEST\" config.json

## Extract dangerous configuration
jq -r '.config.Env[]?' config.json | grep -iE \"(password|key|token|secret)\" > dangerous-env.txt
jq -r '.config.User' config.json > user-config.txt
jq -r '.config.Cmd[]?' config.json > default-command.txt
jq -r '.history[].created_by' config.json | grep -E \"(curl|wget|pip install|npm install)\" > supply-chain.txt

echo \"Image analysis complete in: $ANALYSIS_DIR\"

Supply Chain Attack Detection:

Container supply chain attacks inject malicious code during the build process. Analyze build history for suspicious commands:

## Build history analysis
docker history --no-trunc \"$IMAGE_NAME\" | grep -E \"(curl|wget|pip|npm|apt-get|yum)\" > build-commands.txt

## Look for suspicious package installations
docker history --no-trunc \"$IMAGE_NAME\" | grep -iE \"(bitcoin|mining|crypto|xmrig|proxy)\" || echo \"No obvious mining software\"

## Check for network calls during build
docker history --no-trunc \"$IMAGE_NAME\" | grep -E \"https?://\" | grep -vE \"(archive.ubuntu.com|security.ubuntu.com|registry.npmjs.org|pypi.org)\" > suspicious-downloads.txt

## Verify base image integrity (if using Docker Content Trust)
docker trust inspect \"$IMAGE_NAME\" --pretty 2>/dev/null || echo \"No signature verification available\"

Runtime Configuration Analysis

Container runtime configuration reveals privilege escalations, dangerous mounts, and security bypasses:

## Deep container configuration analysis
#!/bin/bash
CONTAINER_NAME=\"$1\"
CONFIG_ANALYSIS=\"/var/forensics/config-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$CONFIG_ANALYSIS\"

## Complete container inspection
docker inspect \"$CONTAINER_NAME\" > \"$CONFIG_ANALYSIS/full-inspect.json\"

## Security-relevant configuration extraction
jq -r '.[] | {
    Name: .Name,
    Privileged: .HostConfig.Privileged,
    PidMode: .HostConfig.PidMode,
    NetworkMode: .HostConfig.NetworkMode,
    UsernsMode: .HostConfig.UsernsMode,
    CapAdd: .HostConfig.CapAdd,
    CapDrop: .HostConfig.CapDrop,
    SecurityOpt: .HostConfig.SecurityOpt,
    Mounts: [.Mounts[] | {Source: .Source, Target: .Destination, ReadOnly: .RW}]
}' \"$CONFIG_ANALYSIS/full-inspect.json\" > \"$CONFIG_ANALYSIS/security-config.json\"

## Identify critical security issues
echo \"=== CRITICAL SECURITY FINDINGS ===\" > \"$CONFIG_ANALYSIS/findings.txt\"

## Check for privileged mode
if jq -e '.[].HostConfig.Privileged' \"$CONFIG_ANALYSIS/full-inspect.json\" | grep -q true; then
    echo \"CRITICAL: Container running in privileged mode\" >> \"$CONFIG_ANALYSIS/findings.txt\"
fi

## Check for Docker socket mounting
if jq -e '.[].Mounts[]? | select(.Source == \"/var/run/docker.sock\")' \"$CONFIG_ANALYSIS/full-inspect.json\" > /dev/null; then
    echo \"CRITICAL: Docker socket mounted - full host compromise possible\" >> \"$CONFIG_ANALYSIS/findings.txt\"
fi

## Check for dangerous capabilities
DANGEROUS_CAPS=\"SYS_ADMIN,SYS_PTRACE,SYS_MODULE,DAC_OVERRIDE,NET_RAW\"
IFS=',' read -ra CAPS <<< \"$DANGEROUS_CAPS\"
for cap in \"${CAPS[@]}\"; do
    if jq -e \".[].HostConfig.CapAdd[]? | select(. == \\\"$cap\\\")\" \"$CONFIG_ANALYSIS/full-inspect.json\" > /dev/null; then
        echo \"HIGH: Dangerous capability added: $cap\" >> \"$CONFIG_ANALYSIS/findings.txt\"
    fi
done

## Check for host network access
if jq -e '.[].HostConfig.NetworkMode' \"$CONFIG_ANALYSIS/full-inspect.json\" | grep -q host; then
    echo \"HIGH: Container using host network namespace\" >> \"$CONFIG_ANALYSIS/findings.txt\"
fi

## Check for writable host mounts
jq -r '.[] | .Mounts[]? | select(.RW == true and (.Source | startswith(\"/etc\") or startswith(\"/var\") or startswith(\"/usr\") or startswith(\"/bin\") or startswith(\"/sbin\"))) | \"MEDIUM: Writable host mount - Source: \" + .Source + \" Target: \" + .Destination' \"$CONFIG_ANALYSIS/full-inspect.json\" >> \"$CONFIG_ANALYSIS/findings.txt\"

echo \"Configuration analysis complete: $CONFIG_ANALYSIS\"

File System Timeline and Change Analysis

Container filesystems show what attackers modified, when, and how they established persistence:

## Filesystem forensic analysis
#!/bin/bash
CONTAINER_NAME=\"$1\"
FS_ANALYSIS=\"/var/forensics/filesystem-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$FS_ANALYSIS\"

## Export container filesystem
docker export \"$CONTAINER_NAME\" > \"$FS_ANALYSIS/filesystem.tar\"
cd \"$FS_ANALYSIS\"
mkdir filesystem && tar -xf filesystem.tar -C filesystem/

## Timeline analysis - files modified in last 24 hours
find filesystem -type f -mtime -1 | sort > recent-modifications.txt

## Look for suspicious file locations
find filesystem -path \"*/.*\" -name \"*.sh\" > hidden-scripts.txt
find filesystem -name \"*cron*\" -o -name \"*systemd*\" -o -name \"*service*\" > persistence-files.txt
find filesystem -name \"authorized_keys*\" -o -name \"*ssh*\" -o -name \"*.key\" > ssh-artifacts.txt

## Analyze common attack artifacts
echo \"=== ANALYZING COMMON ATTACK ARTIFACTS ===\" > analysis-results.txt

## Check bash history for attack commands
if [[ -f \"filesystem/root/.bash_history\" ]]; then
    echo \"Root bash history found:\" >> analysis-results.txt
    grep -E \"(curl|wget|nc|python.*-c|perl.*-e|/bin/sh|chmod|chown)\" filesystem/root/.bash_history >> analysis-results.txt
fi

## Check for cryptocurrency mining
find filesystem -name \"*xmrig*\" -o -name \"*mining*\" -o -name \"*crypto*\" > mining-artifacts.txt

## Check for network tools
find filesystem -name \"*nmap*\" -o -name \"*netcat*\" -o -name \"*socat*\" -o -name \"*proxychains*\" > network-tools.txt

## Analyze cron jobs for persistence
if [[ -d \"filesystem/var/spool/cron\" ]]; then
    find filesystem/var/spool/cron -type f -exec cat {} \; > cron-analysis.txt
fi

## Check systemd services for backdoors
if [[ -d \"filesystem/etc/systemd/system\" ]]; then
    find filesystem/etc/systemd/system -name \"*.service\" -exec grep -l \"ExecStart\" {} \; | xargs cat > systemd-services.txt
fi

## Check for modified system binaries
echo \"Checking system binary integrity...\" >> analysis-results.txt
find filesystem/bin filesystem/sbin filesystem/usr/bin filesystem/usr/sbin -type f 2>/dev/null | while read binary; do
    if [[ -f \"$binary\" ]]; then
        # Simple size check (more sophisticated integrity checking would use known-good hashes)
        SIZE=$(stat -c%s \"$binary\" 2>/dev/null)
        echo \"$binary:$SIZE\" >> binary-sizes.txt
    fi
done

echo \"Filesystem analysis complete: $FS_ANALYSIS\"

Network Traffic Analysis and Command & Control Detection

Network traffic analysis shows you where attackers went after breaking out. Container escapes are usually just the first step - they want to pivot, exfiltrate data, or establish persistence.

Network forensics for containers is a pain in the ass because of overlay networks, service meshes, and different CNI plugins. Your network looks nothing like traditional server networking. I use tcpdump and Wireshark mostly, but you have to understand container namespaces or you'll miss half the traffic.

Enterprise monitoring tools like Falco or Sysdig help, but they dump so many logs you'll need proper SIEM integration to find anything useful. I've seen security teams drown in alert fatigue from poorly configured container monitoring.

## Network forensic analysis
#!/bin/bash
PCAP_FILE=\"$1\"
NETWORK_ANALYSIS=\"/var/forensics/network-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$NETWORK_ANALYSIS\"

## Basic traffic analysis
tcpdump -r \"$PCAP_FILE\" -nn | head -100 > \"$NETWORK_ANALYSIS/traffic-summary.txt\"

## Extract unique external IPs
tcpdump -r \"$PCAP_FILE\" -n | awk '{print $3, $5}' | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v -E '^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168\.|127\.)' | sort -u > \"$NETWORK_ANALYSIS/external-ips.txt\"

## Look for suspicious ports (common C2 channels)
tcpdump -r \"$PCAP_FILE\" 'port 4444 or port 1234 or port 8080 or port 9001' > \"$NETWORK_ANALYSIS/suspicious-ports.txt\"

## Check for DNS requests to suspicious domains
tcpdump -r \"$PCAP_FILE\" 'port 53' | grep -E '\.(tk|ml|ga|cf|onion)' > \"$NETWORK_ANALYSIS/suspicious-dns.txt\"

## Look for HTTP traffic with user agents
tcpdump -r \"$PCAP_FILE\" -A 'port 80 or port 8080' | grep -i \"user-agent\" > \"$NETWORK_ANALYSIS/http-user-agents.txt\"

## Detect reverse shell traffic patterns
tcpdump -r \"$PCAP_FILE\" -A | grep -E \"(GET /.*\\|.*sh|POST.*exec|/bin/bash|cmd\\.exe)\" > \"$NETWORK_ANALYSIS/shell-traffic.txt\"

## Check for large data transfers (potential exfiltration)
tcpdump -r \"$PCAP_FILE\" -n | awk '{bytes+=$NF} END {print \"Total bytes:\", bytes}' > \"$NETWORK_ANALYSIS/data-volume.txt\"

## Analyze with additional tools if available
if command -v wireshark &> /dev/null; then
    tshark -r \"$PCAP_FILE\" -T fields -e ip.src -e ip.dst -e tcp.port | sort | uniq -c | sort -rn | head -20 > \"$NETWORK_ANALYSIS/top-connections.txt\"
fi

echo \"Network analysis complete: $NETWORK_ANALYSIS\"

This forensic analysis phase typically takes 2-6 hours depending on the complexity of the incident and amount of evidence. The goal is to build a complete timeline of the attack, identify all compromised systems, and understand the full scope of the breach before proceeding to recovery and remediation.

Now for the fun part: explaining to your manager why "just restart it" isn't a solution. Theory says you need 2-3 weeks for proper recovery. Management wants it fixed by lunch. Reality is somewhere in between, usually involving weekend work and broken monitoring.

Last time this happened, my manager asked why we couldn't just rollback the containers. I had to explain that the host was compromised, the images were potentially backdoored, and our infrastructure-as-code was written by someone who quit six months ago and didn't document anything.

Container recovery is a clusterfuck because everything depends on everything else. Change one security setting and suddenly half your services won't start because they were relying on dangerous configurations that "worked fine" until now.

Infrastructure Damage Assessment and Scope Determination

Before beginning recovery, establish the complete scope of compromise. Container breakouts often affect multiple layers of infrastructure:

#!/bin/bash
## Comprehensive infrastructure assessment
ASSESSMENT_DIR=\"/var/incident/recovery-assessment-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$ASSESSMENT_DIR\"

echo \"=== INFRASTRUCTURE COMPROMISE ASSESSMENT ===\" > \"$ASSESSMENT_DIR/assessment-report.txt\"
echo \"Date: $(date)\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"

## Host system integrity check
echo \"1. HOST SYSTEM STATUS:\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"

## Check for persistence mechanisms
echo \"Checking for backdoors and persistence...\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"

## New user accounts created by attackers
awk -F: '$3 >= 1000 {print $1 \":\" $3 \":\" $6}' /etc/passwd | while read user; do
    USERNAME=$(echo \"$user\" | cut -d: -f1)
    # Check when account was created (approximate)
    PASSWD_CHANGE=$(chage -l \"$USERNAME\" 2>/dev/null | grep \"Last password change\" || echo \"Unknown\")
    echo \"User: $USERNAME - $PASSWD_CHANGE\" >> \"$ASSESSMENT_DIR/user-analysis.txt\"
done

## SSH key modifications
find /home -name \".ssh\" -type d | while read ssh_dir; do
    if [[ -f \"$ssh_dir/authorized_keys\" ]]; then
        echo \"SSH keys in $ssh_dir:\" >> \"$ASSESSMENT_DIR/ssh-analysis.txt\"
        ls -la \"$ssh_dir/authorized_keys\" >> \"$ASSESSMENT_DIR/ssh-analysis.txt\"
        echo \"--- Key content ---\" >> \"$ASSESSMENT_DIR/ssh-analysis.txt\"
        cat \"$ssh_dir/authorized_keys\" >> \"$ASSESSMENT_DIR/ssh-analysis.txt\"
        echo \"\" >> \"$ASSESSMENT_DIR/ssh-analysis.txt\"
    fi
done

## Systemd service modifications
systemctl list-units --type=service --state=running | grep -vE \"(systemd|getty|dbus|network)\" > \"$ASSESSMENT_DIR/custom-services.txt\"

## Cron job analysis
find /var/spool/cron /etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly -type f 2>/dev/null | xargs ls -la > \"$ASSESSMENT_DIR/cron-files.txt\"

echo \"2. DOCKER INFRASTRUCTURE STATUS:\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"

## Container status assessment
docker ps -a --format \"table {{.Names}}	{{.Image}}	{{.Status}}	{{.Ports}}\" > \"$ASSESSMENT_DIR/container-status.txt\"

## Image integrity verification
docker images --format \"table {{.Repository}}	{{.Tag}}	{{.ID}}	{{.CreatedAt}}\" > \"$ASSESSMENT_DIR/image-status.txt\"

## Check for suspicious containers
echo \"Identifying high-risk containers...\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"
docker ps -a | while read line; do
    CONTAINER_ID=$(echo \"$line\" | awk '{print $1}')
    if [[ \"$CONTAINER_ID\" != \"CONTAINER\" ]]; then
        # Check if container has dangerous configurations
        PRIVILEGED=$(docker inspect \"$CONTAINER_ID\" --format '{{.HostConfig.Privileged}}' 2>/dev/null || echo \"false\")
        SOCKET_MOUNT=$(docker inspect \"$CONTAINER_ID\" --format '{{range .Mounts}}{{if eq .Source \"/var/run/docker.sock\"}}SOCKET_MOUNTED{{end}}{{end}}' 2>/dev/null)
        if [[ \"$PRIVILEGED\" == \"true\" ]] || [[ \"$SOCKET_MOUNT\" == \"SOCKET_MOUNTED\" ]]; then
            echo \"HIGH RISK: $CONTAINER_ID - Privileged: $PRIVILEGED, Socket: $SOCKET_MOUNT\" >> \"$ASSESSMENT_DIR/high-risk-containers.txt\"
        fi
    fi
done

echo \"3. NETWORK SECURITY STATUS:\" >> \"$ASSESSMENT_DIR/assessment-report.txt\"

## Check for suspicious network connections
ss -tulpn | awk '$1==\"LISTEN\" {print $5}' | sort > \"$ASSESSMENT_DIR/listening-ports.txt\"

## Check iptables for modifications
iptables -L -n > \"$ASSESSMENT_DIR/iptables-rules.txt\"

echo \"Assessment complete. Review files in: $ASSESSMENT_DIR\"

Secure Container Image Rebuilding

Compromised container images must be rebuilt from scratch rather than patched. Attackers often hide persistence mechanisms in image layers:

#!/bin/bash
## Secure container rebuild process
APPLICATION_NAME=\"$1\"
REBUILD_DIR=\"/var/rebuild/$APPLICATION_NAME-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$REBUILD_DIR\"

echo \"=== SECURE REBUILD PROCESS FOR $APPLICATION_NAME ===\" > \"$REBUILD_DIR/rebuild-log.txt\"

## Step 1: Create clean build environment
echo \"Creating isolated build environment...\" >> \"$REBUILD_DIR/rebuild-log.txt\"

## Use fresh base images with verification
cat > \"$REBUILD_DIR/Dockerfile.secure\" << 'EOF'
## Use minimal, verified base image
FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b

## Create non-root user immediately
RUN adduser -D -s /bin/sh -u 10001 appuser

## Install only necessary packages with verification
RUN apk add --no-cache --verify ca-certificates && \
    apk del --no-cache apk-tools

## Set secure defaults
USER appuser
WORKDIR /app

## Copy application code only (no build artifacts)
COPY --chown=appuser:appuser ./src /app/

## Set secure runtime configuration
EXPOSE 8080
CMD [\"./app\"]
EOF

## Step 2: Verify all source code is clean
echo \"Verifying source code integrity...\" >> \"$REBUILD_DIR/rebuild-log.txt\"

## Scan source code for malicious content
if command -v rg &> /dev/null; then
    rg -i \"(eval|exec|system|shell_exec|curl.*\\|.*sh|wget.*\\|)\" ./src/ > \"$REBUILD_DIR/code-scan.txt\" || echo \"No suspicious code patterns found\"
fi

## Check for hidden files
find ./src -name \".*\" -type f > \"$REBUILD_DIR/hidden-files.txt\"

## Step 3: Build with security hardening
echo \"Building hardened container image...\" >> \"$REBUILD_DIR/rebuild-log.txt\"

docker build \
    --no-cache \
    --pull \
    --tag \"$APPLICATION_NAME-secure:$(date +%Y%m%d-%H%M%S)\" \
    --file \"$REBUILD_DIR/Dockerfile.secure\" \
    .

## Step 4: Security scan new image
NEW_IMAGE=\"$APPLICATION_NAME-secure:$(date +%Y%m%d-%H%M%S)\"

if command -v trivy &> /dev/null; then
    trivy image --severity HIGH,CRITICAL \"$NEW_IMAGE\" > \"$REBUILD_DIR/vulnerability-scan.txt\"
fi

## Step 5: Runtime security test
echo \"Testing secure runtime configuration...\" >> \"$REBUILD_DIR/rebuild-log.txt\"

## Test container with security profile
docker run --rm \
    --read-only \
    --tmpfs /tmp:noexec,nosuid,size=50m \
    --user 10001:10001 \
    --cap-drop ALL \
    --cap-add CHOWN \
    --cap-add SETUID \
    --cap-add SETGID \
    --security-opt=no-new-privileges:true \
    --network none \
    --name security-test \
    \"$NEW_IMAGE\" /bin/sh -c \"id; pwd; ls -la\" > \"$REBUILD_DIR/security-test.txt\"

echo \"Secure rebuild complete. Review: $REBUILD_DIR\"

Host System Hardening and Patch Management

Host systems that experienced container breakouts require comprehensive hardening:

#!/bin/bash
## Host security hardening after container compromise
HARDENING_LOG=\"/var/log/post-incident-hardening-$(date +%Y%m%d-%H%M%S).log\"

echo \"=== POST-INCIDENT HOST HARDENING ===\" > \"$HARDENING_LOG\"
echo \"Start time: $(date)\" >> \"$HARDENING_LOG\"

## 1. Update all packages
echo \"Updating system packages...\" >> \"$HARDENING_LOG\"
apt-get update && apt-get upgrade -y >> \"$HARDENING_LOG\" 2>&1

## Install security updates specifically
apt-get install -y unattended-upgrades >> \"$HARDENING_LOG\" 2>&1
dpkg-reconfigure -plow unattended-upgrades

## 2. Kernel hardening
echo \"Applying kernel hardening...\" >> \"$HARDENING_LOG\"
cat >> /etc/sysctl.conf << 'EOF'

## Post-incident container security hardening
## Restrict dmesg to prevent information leaks
kernel.dmesg_restrict = 1

## Hide kernel addresses from unprivileged users
kernel.kptr_restrict = 2

## Disable kernel module loading
kernel.modules_disabled = 1

## Enable ASLR
kernel.randomize_va_space = 2

## Restrict ptrace (prevents container debugging)
kernel.yama.ptrace_scope = 3

## Prevent container escape via core dumps
fs.suid_dumpable = 0
kernel.core_pattern = /dev/null

## Network security
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
EOF

sysctl -p >> \"$HARDENING_LOG\" 2>&1

## 3. Docker daemon hardening
echo \"Hardening Docker daemon configuration...\" >> \"$HARDENING_LOG\"
cat > /etc/docker/daemon.json << 'EOF'
{
  \"icc\": false,
  \"userland-proxy\": false,
  \"no-new-privileges\": true,
  \"seccomp-enabled\": true,
  \"userns-remap\": \"default\",
  \"live-restore\": true,
  \"log-driver\": \"json-file\",
  \"log-opts\": {
    \"max-size\": \"10m\",
    \"max-file\": \"3\"
  },
  \"storage-driver\": \"overlay2\",
  \"default-runtime\": \"runc\",
  \"default-ulimits\": {
    \"nofile\": {
      \"Hard\": 64000,
      \"Name\": \"nofile\",
      \"Soft\": 64000
    }
  },
  \"selinux-enabled\": true
}
EOF

## 4. User namespace configuration for container isolation
echo \"Configuring user namespaces...\" >> \"$HARDENING_LOG\"
echo \"dockremap:165536:65536\" >> /etc/subuid
echo \"dockremap:165536:65536\" >> /etc/subgid

## 5. Audit logging configuration
echo \"Enabling comprehensive audit logging...\" >> \"$HARDENING_LOG\"
cat > /etc/audit/rules.d/docker-security.rules << 'EOF'
## Monitor Docker daemon
-w /usr/bin/docker -p wa -k docker
-w /var/lib/docker -p wa -k docker
-w /etc/docker -p wa -k docker
-w /var/run/docker.sock -p rwa -k docker

## Monitor container runtime
-w /usr/bin/containerd -p wa -k containerd
-w /usr/bin/runc -p wa -k runc

## Monitor critical system files
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes

## Monitor privilege escalation
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -k privilege_escalation
-a always,exit -F arch=b64 -S execve -k exec_commands

## Monitor file permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown -k permission_changes
EOF

systemctl restart auditd >> \"$HARDENING_LOG\" 2>&1

## 6. Firewall hardening
echo \"Configuring firewall rules...\" >> \"$HARDENING_LOG\"
ufw --force reset >> \"$HARDENING_LOG\" 2>&1
ufw default deny incoming >> \"$HARDENING_LOG\" 2>&1
ufw default deny outgoing >> \"$HARDENING_LOG\" 2>&1
ufw allow out 53 >> \"$HARDENING_LOG\" 2>&1  # DNS
ufw allow out 80 >> \"$HARDENING_LOG\" 2>&1  # HTTP
ufw allow out 443 >> \"$HARDENING_LOG\" 2>&1 # HTTPS
ufw allow out 22 >> \"$HARDENING_LOG\" 2>&1  # SSH (if needed)
ufw --force enable >> \"$HARDENING_LOG\" 2>&1

## 7. Service hardening
echo \"Disabling unnecessary services...\" >> \"$HARDENING_LOG\"
systemctl disable --now telnet xinetd rsh rlogin >> \"$HARDENING_LOG\" 2>&1

## 8. Restart Docker with new configuration
echo \"Restarting Docker daemon with hardened configuration...\" >> \"$HARDENING_LOG\"
systemctl restart docker >> \"$HARDENING_LOG\" 2>&1

echo \"Host hardening complete. Log: $HARDENING_LOG\"

Container Security Policy Implementation

Time to implement security policies that actually prevent breakouts. Control groups (cgroups) are supposed to limit resource usage and prevent attacks, but most setups have them configured wrong or not at all.

## Kubernetes Pod Security Policy (if using K8s)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-post-incident
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  allowedCapabilities:
    - CHOWN
    - SETUID
    - SETGID
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: true
  seLinux:
    rule: 'RunAsAny'

## Docker security wrapper script
#!/bin/bash
## /usr/local/bin/docker-secure-run
CONTAINER_NAME=\"$1\"
IMAGE_NAME=\"$2\"

if [[ -z \"$CONTAINER_NAME\" ]] || [[ -z \"$IMAGE_NAME\" ]]; then
    echo \"Usage: $0 <container-name> <image-name>\"
    exit 1
fi

## Mandatory security configuration
docker run \
    --name \"$CONTAINER_NAME\" \
    --read-only \
    --tmpfs /tmp:noexec,nosuid,size=50m \
    --tmpfs /var/tmp:noexec,nosuid,size=10m \
    --user 10001:10001 \
    --cap-drop ALL \
    --cap-add CHOWN \
    --cap-add SETUID \
    --cap-add SETGID \
    --security-opt=no-new-privileges:true \
    --security-opt=seccomp:default \
    --security-opt=apparmor:docker-default \
    --memory=256m \
    --cpus=1 \
    --pids-limit=50 \
    --ulimit nofile=1024:2048 \
    --ulimit nproc=50 \
    --restart=on-failure:3 \
    --log-driver=json-file \
    --log-opt max-size=10m \
    --log-opt max-file=3 \
    \"$IMAGE_NAME\"

Monitoring and Detection Enhancement

Deploy monitoring that might actually catch the next escape attempt. gVisor provides better isolation than standard containers, but it comes with performance penalties. Worth it if you're paranoid about container security (and after an incident, you should be):

#!/bin/bash
## Deploy comprehensive container monitoring
MONITORING_DIR=\"/opt/container-monitoring\"
mkdir -p \"$MONITORING_DIR\"

## 1. Install and configure Falco for runtime security
echo \"Installing Falco runtime security monitoring...\"
## Install Falco (the repository breaks constantly)
FALCO_VERSION=\"0.37.1\"
curl -L -o falco.deb \"https://github.com/falcosecurity/falco/releases/download/${FALCO_VERSION}/falco-${FALCO_VERSION}-x86_64.deb\"
sudo dpkg -i falco.deb || sudo apt-get install -f -y

## Enhanced Falco rules for container breakouts
cat > /etc/falco/local_rules.yaml << 'EOF'
## Post-incident enhanced container monitoring

- rule: Container Breakout Attempt
  desc: Detect potential container breakout via privilege escalation
  condition: >
    spawned_process and container and
    (proc.name in (mount, nsenter, unshare, chroot) or
     proc.args contains \"docker.sock\" or
     proc.args contains \"/proc/1/root\")
  output: >
    Container breakout attempt detected (user=%user.name command=%proc.cmdline 
    container=%container.name image=%container.image.repository)
  priority: CRITICAL
  tags: [container, breakout, cve-2025-9074]

- rule: Suspicious Container Network Access
  desc: Container accessing suspicious network resources
  condition: >
    (outbound or inbound) and container and
    ((fd.rip exists and not fd.rip in (rfc_1918_addresses)) or
     fd.rport in (4444, 1234, 9001, 31337))
  output: >
    Suspicious network access from container (connection=%fd.name 
    container=%container.name command=%proc.cmdline)
  priority: HIGH
  tags: [network, container, c2]

- rule: Container Filesystem Escape
  desc: Container attempting to access host filesystem
  condition: >
    open_read and container and
    (fd.name startswith \"/proc/1/\" or 
     fd.name startswith \"/host\" or
     fd.name contains \"../../../\")
  output: >
    Container filesystem escape attempt (file=%fd.name 
    container=%container.name process=%proc.name)
  priority: HIGH
  tags: [filesystem, container, escape]
EOF

systemctl restart falco

## 2. Set up log monitoring with alerts
cat > \"$MONITORING_DIR/monitor-logs.sh\" << 'EOF'
#!/bin/bash
## Container security log monitoring
tail -F /var/log/falco/falco.log | while read line; do
    if echo \"$line\" | grep -qE \"(CRITICAL|HIGH)\"; then
        echo \"$(date): SECURITY ALERT - $line\" | logger -t container-security
        # Send alert (customize for your environment)
        echo \"Container security alert: $line\" | mail -s \"URGENT: Container Security Alert\" security@company.com
    fi
done
EOF

chmod +x \"$MONITORING_DIR/monitor-logs.sh\"

## 3. Create systemd service for monitoring
cat > /etc/systemd/system/container-security-monitor.service << 'EOF'
[Unit]
Description=Container Security Monitoring
After=docker.service falco.service

[Service]
Type=simple
User=root
ExecStart=/opt/container-monitoring/monitor-logs.sh
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

systemctl enable container-security-monitor
systemctl start container-security-monitor

echo \"Enhanced monitoring deployed and active\"

Incident Response Process Improvement

Document lessons learned and improve incident response procedures:

#!/bin/bash
## Generate post-incident improvement report
IMPROVEMENT_DIR=\"/var/incident/improvement-$(date +%Y%m%d-%H%M%S)\"
mkdir -p \"$IMPROVEMENT_DIR\"

cat > \"$IMPROVEMENT_DIR/lessons-learned.md\" << 'EOF'
## Container Breakout Incident - Lessons Learned

### Incident Summary
- **Date**: $(date)
- **Duration**: [Fill in total incident duration]
- **Impact**: [Describe business impact]
- **Root Cause**: [Primary attack vector]

### What Worked Well
- [ ] Incident detection time
- [ ] Initial response procedures
- [ ] Evidence preservation
- [ ] Team communication
- [ ] Recovery procedures

### Areas for Improvement
- [ ] Faster detection of container escapes
- [ ] Better forensic tools for container analysis
- [ ] Improved communication procedures
- [ ] Enhanced monitoring coverage
- [ ] Faster recovery procedures

### Action Items
1. [ ] Deploy enhanced container monitoring (Falco rules)
2. [ ] Implement mandatory security scanning in CI/CD
3. [ ] Conduct container security training for development team
4. [ ] Regular security audit of container configurations
5. [ ] Update incident response playbooks

### Prevention Measures Implemented
- [ ] Container security policies enforced
- [ ] Host system hardening completed
- [ ] Enhanced monitoring deployed
- [ ] Security training scheduled
- [ ] Regular security assessments planned
EOF

echo \"Improvement report created: $IMPROVEMENT_DIR/lessons-learned.md\"

Actual Recovery Timeline: Plan for 3 weeks if you want to do it right. Management will bitch the entire time about business impact. Last recovery I did, we spent 2 weeks just getting the hardened containers to start properly.

Shit that will break during recovery:

• Prometheus 2.45.0 decides your AppArmor profiles look suspicious and stops scraping metrics
• Services fail with "permission denied" errors because they relied on running as root
• Some asshole tries to deploy during recovery and breaks your progress (disable GitHub Actions immediately)
• AWS S3 storage costs for 500GB of forensic data: $600/month (nobody budgets for this)

SANS has detailed recovery guides, but they don't mention the part where hardening breaks the CEO's dashboard and you get blamed for "making things too secure."