Using osquery & MITRE ATT&CK to Provide Analytics for Incident Response and Threat Hunting

  • Webcast Aired Friday, 20 Mar 2020 3:30PM EDT (20 Mar 2020 19:30 UTC)
  • Speakers: Dave Shackleford, Guillaume Ross

There's a disconnect between best practice frameworks and real-life nitty gritty. While many frameworks broadly approach the overarching principles that a robust security program should encompass, the MITRE ATT&CK framework takes it a step further by connecting the dots to detail specifically what kind of attacker behavior a defender should anticipate, and how an attacker would work to thwart those vaulted best practices.

Using Osquery, an open-source universal endpoint agent that makes our macOS, Linux, Docker, and Windows environments queryable using SQL, we can begin to harden our defenses by writing and deploying queries that identify those known behaviors as outlined in the twelve attack technique categories mapped by the MITRE ATT&CK matrix.

Incident Response professionals should attend this webinar to:

  • Gain an understanding of what osquery is, how it structures data & how that data can be used across security teams
  • Learn how to create SQL queries to solve for example scenarios, and get acquainted with the data and insight osquery provides
  • Map portions of the ATT&CK matrix to SQL queries, using osquery to observe for these activities