Lead Image © Valentyn Ihnatkin, 123RF.com
Incident response with Velociraptor
The Hunter
From the IT department's point of view, it always makes sense to have an overview of your company's IT infrastructure – or at least be able to create one in a timely manner. In the immediate aftermath of an IT security incident, you need information quickly about which systems an attacker may have accessed and which systems are still operational. Department staff can then look specifically for indicators of compromise (IoCs) with the help of Velociraptor [1].
The developers cite two well-known tools as the basic idea for their own software: the GRR Rapid Response (GRR) [2] incident response tool and the OSQuery [3] monitoring tool. GRR lets you hunt for IoCs and run them over a period of time on all clients connected to your network. The reports are sent to a centralized server where they are available to admins. OSQuery, on the other hand, lets you query information from your clients in a language similar to SQL. The tool provides information in more than 275 tables – from CPU data to network settings (e.g, DNS or static routes) to installed Chrome extensions – you can find out pretty much everything about your systems.
Velociraptor now aims to combine the capabilities of GRR and OSQuery into one tool, while being faster, smaller, more scalable, and easier to install. Like GRR and OSQuery, the software works independent of the selected operating system and comes with virtually no dependencies. Beyond the functionality of GRR and OSQuery, it is possible for defined events to trigger queries and to use the Velociraptor Query Language (VQL), both to execute queries in the sense of OSQuery and to transfer files, modify systems and settings, and control the entire client-server infrastructure.
Quick Install
The
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Keep an eye on your network
Osquery is a cross-platform open source tool that you can use to query your network, just like a database. -
Open source forensics for adaptive detection of threats on CRITIS networks
The open source tool Velociraptor is at the heart of a solution that automatically detects cyber threats in industrial environments, offering a defensive strategy and protecting critical infrastructures. -
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Turning machine state into a database
Learn how the osquery tool exposes system state in searchable form. -
Checking your endpoints with Stethoscope
Intruders slip in when end users get sloppy. Check the health of your endpoint devices with Stethoscope.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
