Investigating Threat Alerts with Osquery: Understanding Threat Surface & Risk

The Uptycs Threat Intelligence team is responsible for providing a high quality, curated, and current Threat Intelligence feed to the Uptycs product. In order to deliver the threat feed, the team evaluates every single alert that is seen by our customers, and investigates the alert as feedback into the threat feed curation process. Recently we observed a malicious domain alert from a customer. The out-of-the-box alert description indicated that it belonged to the OSX/Shlayer malware family. We were quickly able to query Uptycs threat intelligence to find that the domain first appeared on February, 2019 and was reported by multiple threat intel sources. Once the threat was validated, we dove into deeper investigation to understand the threat surface and risk. This post walks through the steps and techniques we performed to analyze data that had been collected via osquery, and aggregated in Uptycs.

Read More

Topics: osquery, incident investigation, threat hunting, threat intelligence

Announcing the osquery@scale Conference

Osquery has become a popular tooling for endpoint-based security analytics. The user community is thriving and vibrant as reflected in GitHub security showcase and osquery slack channel activity. There are many organizations, large and small, who are using it for a wide-variety of use cases. There are anecdotal references to organizations such as Facebook, Google and others using it at very large scale to get security visibility.

Read More

Topics: osquery

[Infographic] macOS Native Security Configurations and osquery

Be it for macOS or my dog eating out of the trash, there is no such thing as a bullet-proof security policy. It’s all about creating a threshold of standards- something to work off of while simultaneously reducing overall risk (you know, like storing your trash can on the counter, for example).

Read More

Topics: osquery, macOS, mac edr, open-source, asset inventory, security hygiene

Performant Osquery – Enterprise-grade Osquery at Scale Considerations

In this blog post I’ll cover osquery’s ability to provide performant behavior and its capabilities to excel at enterprise grade requirements. Many observations covered in this blog will highlight various capabilities of osquery that should aid in your journey toward an enterprise-grade osquery deployment.

Read More

Topics: osquery, TLS, system architecture, open-source, cloud security

Osquery Security Use Cases and Solutions

Osquery has become a popular source of instrumentation for a wide variety of use cases. On github security showcase, it is currently among the top most popular open source security projects. Given the popularity, a recurring question is what use cases can one address with osquery in an enterprise environment?

Read More

Topics: osquery, system architecture, open-source, cloud security

Detecting Malicious Packages in Repositories like PyPI: Using Osquery for Complete Software Inventory

Many systems make installing 3rd party software incredibly convenient; from packaging systems and well loved Linux distribution tools like Debian Apt to app stores and per-language repositories. Users are also often allowed to install browser extensions or plugins, which come from their own “store” and are just another type of software. For these reasons, and without forgetting containers, maintaining a software inventory that allows you to identify dangerous packages has become harder to do, but more critical to accomplish.

Read More

Topics: osquery, incident investigation, asset inventory, security hygiene

[Video] Incident Investigation with Uptycs and Osquery

 

This video features Pat Haley, our Principal Sales Engineer, walking through the strengths and challenges of osquery, how osquery can be used for incident investigations, and how Uptycs can add value to an osquery deployment of any size.

Read More

Topics: osquery, video, CI/CD, cloud security, incident investigation

Building a Zero Trust Network (and where osquery fits) - GitLab’s Real Life Roadmap Recap

Kathy Wang, GitLab’s Sr. Director of Security, and Philippe Lafoucrière, a distinguished GitLab Engineer, recently presented “Towards Zero Trust at GitLab.com” at Google’s Cloud Next ‘19 event.

Read More

Topics: osquery, cloud security

Checking MDS/Zombieload Mitigations on macOS with Osquery

As a part of a pretty crazy week (Microsoft/RDS, Apple/Mojave/High Sierra, Adobe Acrobat/ Flash Player) when it comes to security updates, some new speculative execution vulnerabilities were disclosed and fixed.

Read More

Topics: osquery tutorial, osquery, macOS, malware, open-source, incident investigation

Remote Desktop Vulnerabilities: Identifying the Exposure and Patch Using Osquery

[Updated June 5th] Patching for the CVE (CVE-2019-0708) vulnerability (referred to as BlueKeep) appears to have been slow, according to Rob Graham among others. One security expert, Ryan McGeehan (@Magoo), with experience in modeling vulnerability exploit probability and has done just that with the BlueKeep security flaw. 

His concerning summary concludes:

"Chances are about even ( 47.62%)  for “in the wild” BlueKeep exploitation to be observed between now and end of June."

Follow the outline below to check your exposure using osquery.

Microsoft released an important patch to the remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.

Read More

Topics: osquery tutorial, osquery, Windows

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Subscribe for New Posts

Find Uptycs Everywhere

Recommended Reads