Comprehensive and Detailed Explanation
The correct actions are C and D, as they represent the standard, parallel process for incident response: technical investigation and procedural/communicative response.
Technical Investigation (Option D): The immediate priority is to understand the alert. An analyst must review the Container Threat Detection finding in Security Command Center (SCC) to understand what was detected. This is followed by investigating the affected pod, its container, the node it's running on, and any associated service accounts to determine the initial blast radius and gather forensic data. Researching the binary and related TTPs (Tactics, Techniques, and Procedures) helps contextualize the attack.
Procedural Response (Option C): Concurrently, the organizational response plan must be activated. This involves notifying the business-critical workload owner (stakeholder communication), initiating the formal, documented incident response playbook, and escalating to specialized teams, like threat hunting, for deeper root cause analysis that goes beyond the initial triage.
Option A is incorrect because deleting the pod immediately is a premature remediation step that destroys critical forensic evidence. Option B is incorrect because "keeping the cluster and pod running" without any containment is reckless and could allow an attacker to pivot. Option E is incorrect because an unauthorized binary execution in a critical workload is a high-severity event, not a low-severity finding to be silenced.
Exact Extract from Google Security Operations Documents:
Responding to Container Threat Detection findings: When a Container Threat Detection finding is generated, it indicates a potential security issue that requires investigation. The first step is to review the finding details in Security Command Center (SCC) to understand the nature of the threat, such as K8S_BINARY_EXECUTED.
The recommended workflow involves:
Investigate: Examine the affected Kubernetes resources, such as the Pod, Container, and Node. Use tools like kubectl to inspect the pod configuration, running processes, and network connections. Research the associated attack and response methods to understand the threat actor's TTPs.
Respond: Follow the organization's incident response playbook. This includes notifying the workload owner and relevant stakeholders. Contain the threat by isolating the pod or node, but avoid deleting resources immediately to preserve evidence for forensic analysis.
Escalate: For complex incidents, engage the threat hunting or forensics team to conduct a thorough investigation, identify the root cause, and determine the full scope of the compromise.
[References:, Google Cloud Documentation: Security Command Center > Documentation > Manage findings > Responding to Container Threat Detection findings, Google Cloud Documentation: Google Security Operations > Documentation > Incident Response > Incident Response Playbooks, , ]
