Data Philosophy and Technology Combine for Better Endpoint Security

EclecticIQ
EclecticIQ Blog
Published in
5 min readDec 29, 2022

--

eiq-endpoint-response

Russel Ackoff was the one of first to define a hierarchy from data to wisdom (1). In Ackoff’s words:

“Data are symbols that represent the properties of objects and events. Information consists of processed data, the processing directed at increasing its usefulness. For example, census takers collect data. The Bureau of the Census processes that data, converting it into information that is presented in the numerous tables published in the Statistical Abstracts. Like data, information also represents the properties of objects and events, but it does so more compactly and usefully than data. The difference between data and information is functional, not structural.

Information is contained in descriptions, answers to questions that begin with such words as who, what, when, where, and how many. Knowledge is conveyed by instructions, answers to how-to questions. Understanding is conveyed by explanations, answers to why questions.

Information, knowledge, and understanding enable us to increase efficiency, not effectiveness…”

ackoff
Figure 1. The DIKW Pyramid

The last sentence is the essence of much of computing — the defining goal being the drive toward efficiency.

When Ackoff wrote his article, computing technology was at the cusp of data and information. With the advent of advanced tools like big data analytics and artificial intelligence, one might make a bold statement that today, computing technology straddles the gap between information and knowledge.

However, the key to everything is efficiency. One of the key technologies that enable efficiency is the ability to search easily and effectively. The search for information, knowledge or data is not something that the computing industry invented. Library scientists, for example, had already developed sophisticated search technologies (Catalog cards). Imagine a library filled with millions of books but with no good way to search them. If one had to manually take each book out of its shelf and read the introduction, one would never learn anything. Therefore search becomes the crucial piece of technology to drive efficiency when one has access to data, information and knowledge. The analogy extends easily to computers. Google and the internet are often used synonymously, and are often hyphenated as google-internet. Imagine an internet filled with information, but a world without a google.

So, now you may be thinking “alright, but this has nothing to do with endpoint security.”

Searching Files For Information Security

Let’s start with a use case. In recent times, we’ve been hit with several supply chain vulnerabilities in popular open-source libraries like openssl and log4j. If another such vulnerability were to be reported, you would want to check that all the systems in your organization have the latest patched versions of the affected libraries. You could use osquery’s hash table, which will compute the hash of a given file. The screenshot below shows how you can use EclecticIQ Endpoint Response to find out all the systems which contain an openssl library that is not at the latest level (specified by a known checksum).

ackoff-1-1

But applications may be carrying their own versions of those libraries and may put them in different locations under slightly different names. This poses a challenge because osquery’s hash table can only compute hashes if the full path to a file is known. So, if the dll is not at the standard location, it might be quite challenging to get all non-compliant versions of the dll.

Disk Indexing in EclecticIQ Endpoint Response 4.0

In EclecticIQ Endpoint Response 4.0 we’ve added a new feature for disk indexing which can help in such scenarios. EclecticIQ Endpoint Response 4.0 can be configured to periodically index all NTFS drives, and the index can be queried through a table called win_disk_index. The disk indexing feature is not enabled by default. The feature can be enabled with the following config. In this case, indexing is enabled and set to reindex once every day (86400 seconds). If the value of custom_plgx_DiskIndexingReindexTimeout is set to 0, it would configure EclecticIQ Endpoint Response to index the disk only once and never again.

ackoff-2

Once the index is created, you can easily query all versions of openssl.dll on all the end-points in your organization with a simple live query that looks up the win_disk_index table.

ackoff-3

You could now combine this table with osquery’s hash table to report all the hashes of all the files that are not at the latest patch level, assuming that the checksum of the patched library is known.

ackoff-4

That’s it, you’re done. In just a few simple steps, you can combine existing osquery tables with EclecticIQ EDR’s win_file_index table to effectively protect your organization against supply chain vulnerabilities. Similarly, this can also be used to protect against malware and other attacks where hashes of malicious binaries are known.

You might also be interested in:

Comparing Sysmon and EclecticIQ Endpoint Response — Event Filters

Hunting Emotet Made Easy with EclecticIQ Endpoint Response

Investigating NATO-Themed Phishing Lures With EclecticIQ Intelligence Center and Endpoint Response Tool

Appendix

  1. Ackoff, R. L. (1989). From data to wisdom. Journal of applied systems analysis, 16(1), 3–9.

--

--

EclecticIQ
EclecticIQ Blog

EclecticIQ is a global provider of threat intelligence technology and services. Our clients are some of the most targeted organizations, globally.