Presented at
Texas Cyber Summit 2019,
Oct. 10, 2019, 1 p.m.
(60 minutes).
Why is DFIR at scale imperative in today’s threat landscape?
* When responding to a potential Security Incident, time is the essence
* While pulling memory image from an endpoint and using Forensic tool like Volatility is the most comprehensive methodology, it is also very time and resource intensive.
* In this talk, we’ll try to explore if we can leverage an agent that’s already running on endpoints to kickstart initial triage and investigation
* Osquery is a popular Open Source Project with more than 5000+ commits from 264 contributors
* The Osquery framework exposes the Operating System as a relational database and we can run SQL queries to pull specific artifacts e.g. logged on users, process tree, docker containers etc
* Two parallel methodologies : (1) Stand-Alone to collect data one-off (during a forensic/reactive investigation (2) Running as a service for periodic data collection for anomaly detection/proactive threat hunting
* Attack Scenarios based on MITRE Attack Framework- e.g. Detecting Meterpreter Reverse Shell
* More use-cases: Detecting Docker Container Exploit attempt , Detecting malicious Crypto-mining, Scoping a Supply Chain Attack etc.
* Power of osquery Evented tables, File Integrity Monitoring etc.
* Custom Extensions and plugins
* Interesting Projects and ongoing research from the Open Source Community
Presenters:
-
Andres Martinson
- Adobe
Andres Martinson is a Sr. Security Engineer on the Adobe Digital Experience team focusing on host security monitoring. Previously Andres has worked as a Network and Systems Engineer. When weather permits, he uses any chance he gets to head out on cross-country skis.
Links:
Similar Presentations: