Tutela Windows Agent now ships with Forensics and in-built IDS
CyberSift continues on strengthening the Tutela offering by including two new but related features to the Windows Agent: Host Forensics and Host Forensics IDS. The technical team has been busy at work integrating osquery into the agent, which allows us to power these new features. These features are quite powerful and flexible, so rather than one long-winded article we will discuss how our analysts and you yourself can use these features into a series of smaller, easy to consume articles. In this blog post series, we will explore:
- Part 1: What does Host Forensics actually do? (this article)
- Part 2: How to use the Host Query Editor — a Man in the Middle case study
- Part 3: How to use Host Query Editor — a File Integrity Monitor case study
- Part 4: Prebuilt Hos Forensic rules: powering a flexible IDS
- Part 5: Advanced Queries using the custom query editor
- Part 6: Integrating with CyberSift SIEM
- Part 7: Giving back to the Osquery community
What does Host Forensics actually do?
TL;DR Host Forensics allows you to query almost any attribute or feature you can think of on your hosts; for example installed software, missing security features, listening ports, among many others. Results are shown in your usual easy-to-use dashboard, with additional integration to CyberSift SIEM providing alerts whenever your queries change values. A visual query builder makes querying your hosts much easier
The Itch.
Oftentimes in larger infrastructures it’s difficult to keep a sprawling inventory up to date. Not just hardware inventories, but also the software, patches, users and files installed or using that hardware. This makes InfoSec defenders’ lives that much harder since that in turn means they cannot answer questions like:
- Which machines do we need to patch due to the vulnerability in ABC software?
- What other servers is the machine communicating with?
- Did someone install or activate a rogue service?
- Did an admin mistakenly/maliciously install a package they shouldn’t have?
- A security advisory details some Indicators of Compromise. Are any of them present in our infrastructure?
The above questions results in a need for sysadmin and SOC analysts to be able to dynamically create queries of their infrastructure and review the answers in a single place.
A Solution.
There’s rarely a problem that the Open Source Community hasn’t solved. It turns out Facebook already had this itch, and solved it using a tool they have since open sourced: Osquery.
The tool is pretty incredible and I highly encourage you to do more reading about it. Tutela’s Host Forensics is based on osquery, so the more you learn about one the more you can do with the other. Osquery bundles almost 300 “tables” (i.e. host attributes) which you can query
The added benefit of Tutela Host Forensics
Tutela’s Host Forensics stands on the shoulders of the Osquery giant, but what does Tutela itself bring to the table?
- Easy deployment
No need for extra agents, everything is bundled into a single installer and executed by the Tutela agent. Host filters in the query editor allow you to selectively execute queries across your infrastructure - Easy queries
The dashboard provides a visual “query editor” which guides analysts through setting up queries in a quick and easy way (we’ll explore this in the upcoming case studies in part 2 and 3), while advanced users are still afforded the full power of osquery though the custom query editor - Prebuilt osquery queries which monitor your endpoints on every run for changes. This is the basis of our “Host Forensics IDS” which we will explore in Part 4
- Integration into the Tutela dashboard.
The dashboard gives you a single place to view host queries along with vulnerabilities detected, compliance checks, and a lot more - Integration with CyberSift SIEM.
Keep a historical record of forensic queries, alerts, custom dashboards, and a lot more. We’ll explore this a little more in Part 6
What does all this look like?
Here’s a quick demo of what it’s like using the visual query editor to setup a query to show what startup items my laptop has. Quick and easy :)
Stay tuned for the next part of this series
For any questions / feedback please get in touch!
