[MacTUG] Proactive Mac Security: osquery

[Mike Patterson]

If it helps - I’ve been looking for a way to trick^Wconvince people that osquery might be useful since it was first opened up. I don’t know what I could do to actually contribute, but if it helps to convince anybody, I would be supportive of groups trying it on for size.

Mike

— 
Mike Patterson - Manager, Information Security Operations
Information Security Services, University of Waterloo
+1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca
Security Operations Centre x41125 / soc at uwaterloo.ca

> On Jan 31, 2017, at 11:29 AM, m3griffi <m3griffi at uwaterloo.ca> wrote:
> 
> """
> osquery does not need to know everything about a system. You can disable tables (collections of data in sql parlance,) from being accessed to ensure you aren?t collecting information you don?t want, like environment variables a developer might leak credentials into. And the product doesn?t even collect browser histories, which incident response will need to pull an image of the affected drive to access. That being said, what it can access are the most common indications of compromise: browser extensions, launchd jobs, applications stuffed out of sight, and other ways badware tries to get persistence on a Mac. It can also overcome a blind spot in the ?periodic run? inventory tools: what happens if an event occurs in between the interval that it?s scheduled to collect this data? osquery overcomes this with tables whose names end in ?_events?, which leverage system frameworks for high-priority data types. These have the capability of essentially ?streaming? the actions it?s configured to pick up on in real-time when using the osqueryd daemon.
> 
> Another way it can be less naive than other systems like xprotect is its support for file integrity monitoring(FIM) ? other tools that are based on the presence of definitions must find an exact match to be ?known-bad?. FIM can help you work in reverse by reporting on known good files at certain paths, so you don?t have to trust file names at certain paths in order to tell everything is as you?d expect it to be. Many pieces of malware hide in plain sight by choosing names that will be overlooked by casual inspection. Being able to collect fingerprints on files you don?t recognize or DON?T match as-of-yet known-bad files means you can do your own research without actually pulling the artifact off the affected machine. Apple?s future push towards adopting xip files and DMG signing instead of zip?s will help extend this chain of trust to the distribution step as well. osquery can also stream DMG mount events so you can trace the path from a benign-looking filedropper to the actual infected application.
> 
> In this way osquery can watch the fence-jumping and give you the historical play-by-play of what is occuring ? if a new launchd shows up after a DMG mount event, your chain of cause and effect is captured way before VirusTotal can scrape up enough strikes for the AV vendors to wake up about that particular strain of an infection.
> 
> Finally, one of the built-into-the-core features of osquery is the ability for it to both receive configs over https and send the results of queries over the wire as well. And a newer table (this is going to BLOW YOUR MIND) can parse Apple System Log ? perhaps obviating the need for most log aggregation and shipping. Not only can osquery gather its own criteria, but it can also send scraped data from other logs! I hope this dipping-of-a-toe into osquery has piqued your interest. In addition to the U of Utah presentation above, I gave talks on leveraging osquery from python for Philly Mac Admins, and a more? ?entertaining? intro at MacDevOps YVR.
> 
> https://www.afp548.com/2016/08/23/proactive-mac-security-osquery/
> """
> 
> macos
> 
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug