DEV Community

Cover image for Day 15 — How to Respond to an Ongoing Compromise (Hawk's Path)
Mohammad-Ali A'RÂBI
Mohammad-Ali A'RÂBI

Posted on

Day 15 — How to Respond to an Ongoing Compromise (Hawk's Path)

#security #kubernetes #docker

Snow crunches underfoot as Gord and Rothütle reach the broken path above Falkensteig. Stone ruins emerge between the trees—old walls, collapsed towers, half-swallowed by moss and ice.

"This is where people stop," Rothütle says quietly. "Even smugglers avoid it."

"They should," Gord replies. "This place is dangerous... for them."

Gord steps closer to the ruins, pulls her cloak aside to reveal the sigil on her chest. It catches the dim light.

She waits for the stone to respond. Nothing happens.

She looks up at the ruined archway ahead, and then checks their surroundings.

"What's going on?" Rothütle asks.

"The door won't open," Gord says. "This is the hidden passage to Schattenburg."

Rothütle frowns. "Is there another way in?"

"Yes, through our defenses," Gord replies grimly.

"So, we are the red team now," Rothütle says.

Then they start hiking toward the castle ruins.

Tip of the day: Compromised systems invalidate keys. Once the attacker is inside, they can keep you out.

Security Tip #15 — How to Respond to an Ongoing Compromise

When an attacker is already inside your systems, it's a different game. You should be more vigilant, deliberate, and cautious, as any hasty action can worsen the situation.

What to Do When an Attacker is Inside

  • Contain first

    Isolate affected systems, accounts, and networks. Stop lateral movement.

  • Invalidate access paths

    Rotate credentials only after isolation. Otherwise, attackers reuse new ones.

  • Assume automation is compromised

    CI/CD, package publishing, cron jobs, startup scripts — inspect all of them.

  • Look for persistence

    New users, modified configs, hidden processes, poisoned dependencies.

  • Rebuild, don't clean

    Treat systems as hostile. Restore only from verified, pre-incident sources.

Compromised systems compromise trust. When an attack happens, your business is at risk. Mitigating quickly is then the first priority, uptime and functionality come second. If it helps, kill the system to halt the attack and investigate the damage.

📘 Learn Docker and Kubernetes Security

To learn how legacy systems impact modern container security — and how to modernize safely — check out my book Docker and Kubernetes Security, currently 40% off.

🔗 buy.DockerSecurity.io

💬 Code: BLACKFOREST25

👉 To have the story delivered to your inbox every day in December, subscribe to my Medium publications.

Top comments (0)