# Finding Imposter Among Us: Container Edition ## Abstract Much like the game Among Us, Bad faith actors can sneak into our spaceship aka containerized workloads anytime. It now comes to the crew members to guess and eliminate the threat. Similarly even if we secure our supply chain, there will always be threat actors that can attack at runtime. It is not a matter of if but when. There's a need to enforce security at runtime to contain damages when it happens. Containers are not black boxes, there's a need to understand the entities that run inside them. Just sand-boxing around them isn't enough, we need to profile our entities inside our containers, profile them and enforce zero trust rules. But achieving zero trust is non trivial especially with the highly dynamic nature of modern containerized workloads. This session will be about understanding the entities inside our containers, trying to identify assets that are exposed to entities inside containers, explore our crew members eBPF, Seccomp and LSMs who will help us identify and quarantine breaches at runtime minimizing our attack surface in the process. ## Benefits to the Ecosystem With the increasing efforts towards securing our supply chain, there have been a lot of measures to help protect our workloads against known vulnerabilities. But there will always be unknown vulnerabilities that may spawn up any time. KubeCon NA 2022 had a session about profiling and restricting access at runtime leveraging [1] Network Policies, [2] Seccomp. But there's a lot more entities inside our containers which are exposed to external factors. One big threat tactic is escaping to host leveraging container mount points [3]. This talk highlights the importance of runtime security. How we can protect our assets especially that are directly linked to host system by profiling our entities inside containers before hand. [1] https://sched.co/182Gf [2] https://sched.co/182GW [3] https://attack.mitre.org/techniques/T1611/