Osquery for Cyber Incident Response

In this case study we demonstrate the use of Osquery framework for cyber security incident response.Osquery for Cyber Threat Detection and DFIRIn this case study we demonstrate the use of Osquery framework for incident response. We use Kolide Fleet as a front-end for endpoint and query management, and the popular ELK Stack to provide back-end storage, search capabilities and presentation of the acquired data to the analyst. We present a detailed step-by-step guide of the installation and configuration of all these tools, including the creation of deployment ready Osquery daemon installation package, that is to be distributed to the endpoints.

Finally, operation of this setup is demonstrated while performing an incident response on endpoints infected with Dridex (by Evil Corp threat actor), quickly discovering IOCs (Indicator of Compromise) and a part of the malware persistence mechanism.

The Osquery framework can be effectively deployed for cyber-security incident response, essentially performing a host intrusion detection role. The ability of querying for the presence of various artifacts within the operating system makes Osquery powerful tool for initial triage, as well as focused detection of particular IOCs.

Osquery is an operating system framework that allows administrators and cyber security personnel to obtain information about the operating system state of machines in their network, as if from a SQL database. While it is possible to make queries directly through the console of a single machine, it is the possibility of distributed deployment using the Osquery daemon, which provides us with endpoint visibility for monitoring and large-scale information-gathering purposes…

Download case study to learn about: Osquery for Cyber Threat Detection and DFIR