Texas Cyber Summit II

Why is DFIR at scale imperative in today’s threat landscape?
* When responding to a potential Security Incident, time is the essence
* While pulling memory image from an endpoint and using Forensic tool like Volatility is the most comprehensive methodology, it is also very time and resource intensive.
* In this talk, we’ll try to explore if we can leverage an agent that’s already running on endpoints to kickstart initial triage and investigation
* Osquery is a popular Open Source Project with more than 5000+ commits from 264 contributors
* The Osquery framework exposes the Operating System as a relational database and we can run SQL queries to pull specific artifacts e.g. logged on users, process tree, docker containers etc
* Two parallel methodologies : (1) Stand-Alone to collect data one-off (during a forensic/reactive investigation (2) Running as a service for periodic data collection for anomaly detection/proactive threat hunting
* Attack Scenarios based on MITRE Attack Framework- e.g. Detecting Meterpreter Reverse Shell
* More use-cases: Detecting Docker Container Exploit attempt , Detecting malicious Crypto-mining, Scoping a Supply Chain Attack etc.
* Power of osquery Evented tables, File Integrity Monitoring etc.
* Custom Extensions and plugins 
* Interesting Projects and ongoing research from the Open Source Community