Protect/hunt/respond with Fleet and osquery

Presented at DEF CON 30 (2022), Aug. 11, 2022, 9 a.m. (240 minutes)

In this workshop, we will learn how to use Fleet and osquery to ensure systems are protected, detect suspicious activity, hunt for attackers, and respond to incidents. First, we'll see how to deploy Fleet to manage osquery agents. Then, we will use shared Fleet instances to track the security posture of systems, inventory vulnerable applications, and perform threat hunting. These Fleet instances will be connected to a shared Slack workspace, where we will generate custom alerts to ensure insecure systems can be dealt with. These shared Fleet instances will output data to centralized logging (Graylog), which we will use to create dashboards as well as alerting for suspicious activity. At the end of this workshop, you'll know how to use Fleet and osquery to ensure your workstations and servers are secure, to quickly find vulnerable systems as well as discover attackers performing techniques such as establishing persistence and privilege escalation. Materials: A laptop with internet access, a web browser, virtualization app such as VirtualBox or VMware, and Docker (on main OS or in a VM). We recommend bringing at least one or two VMs (Mac, Windows or Linux) ready to use as osquery clients. Prereq: Basic understanding of operating systems and networking. No knowledge of Fleet or osquery itself is needed.

Presenters:

• Kathy Satterlee - Developer Advocate
  Kathy is a Developer Advocate at Fleet Device Management. She generally has a pretty good idea of how Fleet and osquery work together and what people are doing with them. She also usually knows who to reach out to when she doesn’t have a clue.
• Guillaume Ross - Head of Security
  Guillaume started hacking away in the early 90s. Whereby hacking, we mean "understanding how pkzip works so he could fit this game on his ridiculous HDD". He then went on to work in IT, focusing on large scale endpoint deployments for a few years. He then became a security consultant, working with all types of different organizations, doing endpoint security, mobile security, and cloud security until he started leading security in startups. Guillaume is currently the Head of Security at Fleet Device Management, the company behind the open source project Fleet. Guillaume dislikes doing meaningless "best practices" work that has no practical value and enjoys leveraging great open source software available to all of us to improve security. Guillaume has spoken and given workshops at various conferences like BSidesLV, BsidesSF, DEF CON, RSAC, Thotcon and Northsec on many topics, including mobile security, endpoint security, logging and monitoring.

Similar Presentations:

• BruCON 0x08 (2016) / Hunting Malware with osquery at scale Workshop
• BSidesSF 2019 / Monitoring Minimum Viable Security via osquery on Mac, Windows, Linux, and Containers Workshop
• BSides Austin 2018 / Post-mortem on deploying osquery, Kolide, and writing to kinesis