Mozilla InvestiGator
Investigate 1,000 endpoints in 10s
from the command line
slides at mig.ninja/osdf16
$ whoami
Julien Vehent
|
|
Disclaimer: not strictly speaking a forensics guy.
It's friday at the office
Max just finished a whole week of code...
... and pushes his changes to github
git commit -a . && git push github master
You've got ~7 minutes to locate and remove that key from all systems
What just happened?
It's monday, and
your favorite APT report is out
eefc66a1e978dc9d825f28702106d4d5
efa23860086c5d12d3e6b918073c717f
f3c5c20f5c45fc401484caf72753d778
fad8f37c9bd5420f49cfd5960a60fa24
fb3495715764cdaa547f2b040c0a9b1f
How much time will it take to scan all your systems for those IOCs?
About 20 seconds
MIG is made for cmd line fanatics
(not for xml sorcerers)
$ mig file -e 20s
-path /usr -path /bin -path /sbin -path /tmp -path /opt
-md5 eefc66a1e978dc9d825f28702106d4d5
-md5 efa23860086c5d12d3e6b918073c717f
-md5 f3c5c20f5c45fc401484caf72753d778
-md5 fad8f37c9bd5420f49cfd5960a60fa24
-md5 fb3495715764cdaa547f2b040c0a9b1f
-matchany -maxdepth 2
Wait, there was some botnet IPs in that report too...
It's wednesday, and the boss wants to know which systems aren't behind proxies
"Maybe you could dump all the firewall configs for the datacenter and parse the ALLOW rules and..."
(it's actually not a bad idea)
(but it would take forever to implement)
Why not just ping google from everywhere and see what fails?
The faster we run investigations,
the more we will investigate.
- bob left the company, did we revoke all his accesses?
- massive libstuff1 vulnerability, is it used anywhere?
- found IP 13.37.66.66 brute forcing the VPN, check other nodes to see if it's connected
- anyone remembers that weird host that was running an anonymous proxy?
Why not do all this
- using PSSH
- at the perimeter, using IDS
- at provisioning, by auditing the code
?
Infrastructure @ Mozilla
|
|
Incident Response at Mozilla
Security at the perimeter
does not work
When your infrastructure
lives all over the internet
MIG's core principles
- Fast & Massively Distributed investigations.
- Simple to deploy across all operating systems.
- Strong Security! All actions are signed and recorded.
- Do not retrieve raw data, respect Privacy.
1.
Fast & massively distributed investigations
Distribute work through queues (via RabbitMQ).
Compute agent-side, not server side.
API/DB/Scheduler only pass messages around.
2.
Simplicity of deployment
Assume we only have one shot to setup agents.
No dependencies, deploy static binaries.
In unmanaged environment, build the conf in the binary.
MIG Loader installs & updates agents completely autonomously.
3.
Strong Security
Agent only runs something if these conditions are met:
- action has valid PGP signatures
- issued by trusted investigators
- authorized to use a given module
Multiple signatures required to run sensitive modules.
Modules never grant root to systems. Taking over the MIG servers can't be escalated to the rest of the infrastructure.
4.
Don't retrieve raw data
Reduces operational cost (smaller DB, less bandwidth).
Helps speed up investigations (see point 1).
Prevents abuse of service by rogue investigator.
What else can you do?
Scan memory
(userland only)
Find machines connected to a specific USB device
mig file -matchany -path /sys/devices/ -name "^uevent$" \
-content "PRODUCT=20a0/4107"Find a device by its mac address
mig netstat -nm 8c:70:5a:c8:be:50Find endpoints running ElasticSearch...
mig file -path /proc -name "^cmdline$" -maxdepth 2 \
-content "[e]lasticsearch"... and locate them on a map
Measure security compliance
{
"module": "file",
"parameters": {
"searches": {
"checkforverboselogging": {
"paths": [
"/etc/ssh/sshd_config"
],
"contents": [
"(?i)^loglevel verbose$"
]
},
"checkpasswordusageisoff": {
"paths": [
"/etc/ssh/sshd_config"
],
"contents": [
"(?i)^passwordauthentication no$"
]
}
}
}
}
List vulnerable packages
{ "objects": [ {
"object": "libnss3-package",
"package": {
"name": "libnss3:amd64"
}
}
],
"tests": [ {
"test": "libnss3 test",
"object": "libnss3-package",
"evr": {
"operation": "<",
"value": "2:3.19.2"
}
}
]
}
Scribe finds bad packages
A vulnerability database, such as Ubuntu USN, or OpenVAS NVT, is converted into a JSON Scribe policy.
Each MIG Agent runs the thousands of tests from the policy locally, and returns out-of-date package.
MIG is a lightweight service for rapidly investigating large infrastructure
It's not a full feature investigation platform, it's a tool to reduce the scope of an investigation
and do so as fast as possible, and with style.
Questions?
## ## _.---._ .---.
# # # /-\ ---|| | /\ __...---' .---. '---'-. '.
# #| | / || | /--\ .-''__.--' _.'( | )'. '. '._ :
# # \_/ ---| \_ \_/ \ .'__-'_ .--'' ._'---'_.-. '. '-'.
### ~ -._ -._''---. -. '-._ '.
# |\ |\ /---------| ~ -.._ _ _ _ ..-_ '. '-._''--.._
# | \| \ / |- |__ | | -~ -._ '-. -. '-._''--.._.--''.
###| \ \/ ---__| | | ~ ~-.__ -._ '-.__ '. '.
##### ~~ ~---...__ _ ._ .' '.
# /\ --- /-\ |--|---- ~ ~--.....--~
# ### /--\ | | ||-\ //
#####/ \ | \_/ | \//__