detecting-container-drift-at-runtime

# Detecting Container Drift at Runtime ## Overview Container drift occurs when running containers deviate from their original image state through unauthorized file modifications, unexpected binary execution, configuration changes, or package installations. Since containers should be treated as immutable infrastructure, any drift is a potential indicator of compromise. Detection techniques leverage the DIE (Detect, Isolate, Evict) model -- an immutable workload should not change during runtime, so any observed change is potentially evidence of malicious activity. ## When to Use - When investigating security incidents that require detecting container drift at runtime - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Kubernetes cluster v1.24+ with runtime security tooling - Falco or Sysdig for runtime drift detection - Container image registry with image manifests available - Familiarity with Linux filesystem layers and OverlayFS ## Core Concepts ### Types of Container Drift 1. **Binary drift**: Execution of binaries not present in the original image (downloaded malware, compiled tools) 2. **File drift**: Creation, modification, or deletion of files in the container filesystem 3. **Configuration drift**: Changes to environment variables, mounted secrets, or runtime parameters 4. **P...