Detecting Container Drift at Runtime

Overview

Container drift occurs when running containers deviate from their original image state through unauthorized file modifications, unexpected binary execution, configuration changes, or package installations. Since containers should be treated as immutable infrastructure, any drift is a potential indicator of compromise. Detection techniques leverage the DIE (Detect, Isolate, Evict) model -- an immutable workload should not change during runtime, so any observed change is potentially evidence of malicious activity.

When to Use

• When investigating security incidents that require detecting container drift at runtime
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Kubernetes cluster v1.24+ with runtime security tooling
• Falco or Sysdig for runtime drift detection
• Container image registry with image manifests available