osquery is in the news a few places this week. They won an award at O’Reilly Security, the 2017 Project Defender Award. They were at Microsoft BlueHat, and they’ve got a new blog post.
[…]This marks the start of a four-part blog series that sheds light on the current state of osquery, its shortcomings and opportunities for improvement.[…]
How are teams currently using osquery?
Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.
Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:
Pepjin’s Apple EFI version spreadsheet:
I only recently learned about Facebook’s osquery project. If you have not looked at it, it is fairly impressive.
Mike Arpaia and Ted Reed of Facebook have post on Facebook infrastructure, and they include firmware in their coverage of infrastructure testing:
In late 2014, we released osquery to the open source community. It’s now an increasingly important element of maintaining insight into the security of Facebook infrastructure. As such, it’s held to incredibly strict security standards to ensure we’re not introducing new vulnerabilities into our network. We also committed to a high standard of code quality when we open-sourced it because we want to build a community of trust with a secure software development ecosystem. In this same vein, we believe it’s important for people who use osquery to know what we do to keep it secure. […]
Ted Reed of Facebook — aka the Teddy Reed who creates UEFI Firmware Parser and related tools — posted a VERY GOOD article on how Facebook defends systems against hardware and firmware attacks, including coverage of Facebook’s osquery tool, and his recent Usenix Enigma presentation. Excerpt of introduction (with whitespace editing by me, sorry):
Hardware and Firmware Attacks: Defending, Detecting, and Responding
The attack landscape for firmware is maturing and needs more attention from defense and detection communities. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu. Simple tools like osquery give defenders important insights about what’s happening on their network so they can quickly detect a potential compromise. Facebook released osquery as an open source project in 2014. Facebook recently added hardware monitoring to osquery, which already aids security teams in vulnerability management, incident response, OS X attacks, and IT compliance. Firmware on commodity laptops and servers is interesting to me as a security engineer for several reasons. This code often bootstraps trust protocols and protective architecture primitives. At the same time, it is a target for vulnerabilities aimed at bypassing those exact controls to unlock, jailbreak, and homebrew — for either good or malicious purposes. Firmware is also a vector for virtualization escapes, hypervisor attacks, and extreme persistence. That risk is magnified by the same fragmentation problem plaguing Android devices, but with an even more complex ecosystem of developers and supported devices. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu. Trammell Hudson’s Thunderstrike-style local system takeover is fast and effective. Drew Suarez’s demonstrations of firmware flashing of Android devices take four seconds of a distracted local user’s attention. Additionally, Computrace has used a UEFI DXE driver capable of injecting a RAT onto unencrypted NTFS partitions for several years. All of this makes firmware security critical for protecting your enterprise. This week, I shared recent work on firmware security at the Enigma 2016 Conference, hosted by USENIX. Since releasing osquery to open source in 2014, I’ve been using it to explore new ways to recognize vulnerable systems and potential compromise. Defensive security professionals should begin scoping firmware components and use simple tools like osquery to gather insight and signal from their corporate network. […]
I’ve not used Facebook’s osquery before, so I have a lot of catching up to do. ;-(