Incident Response with Velociraptor
Clarendon Room E | Tue 14 Mar 1:30 p.m.–3:10 p.m.
Presented by
-
Mike Cohen
@scudette
https://docs.velociraptor.app/
Dr. Michael Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques.
He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specializing in digital forensics, network and memory forensics. In 2010 he joined Google, where he created tools in support of the incident response team.
In 2020, Mike has joined Rapid7 to support and develop Velociraptor, an advanced open source endpoint visibility tool.
Mike Cohen
@scudette
https://docs.velociraptor.app/
Abstract
With the increased prevalence of CyberCrime in recent years the likelihood that your organization will be targeted by organized crime groups has increased dramatically. Professional Cyber criminals are proficient and agile with typical dwell times measured in hours, not weeks or months as was common in the past. An unsuccessful incident response exercise can result in massive losses to the organization with critical data either ransomed or exfiltrated.
Don't worry - Velociraptor has your back! This tutorial will introduce you to this powerful open source framework capable of responding to many thousands of endpoints within minutes. Velociraptor has come onto the scene a few years ago and is getting better all the time. It is now the obvious choice for an open source Digital Forensic and Incident Response (DFIR) tool.
Velociraptor's superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.
With the increased prevalence of CyberCrime in recent years the likelihood that your organization will be targeted by organized crime groups has increased dramatically. Professional Cyber criminals are proficient and agile with typical dwell times measured in hours, not weeks or months as was common in the past. An unsuccessful incident response exercise can result in massive losses to the organization with critical data either ransomed or exfiltrated. Don't worry - Velociraptor has your back! This tutorial will introduce you to this powerful open source framework capable of responding to many thousands of endpoints within minutes. Velociraptor has come onto the scene a few years ago and is getting better all the time. It is now the obvious choice for an open source Digital Forensic and Incident Response (DFIR) tool. Velociraptor's superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.