DEF CON 29 Blue Team Village - Mike Cohen - Velociraptor Dig Deeper

The recent increase in network compromises and sophistication of attackers has underscored the need to rapidly identify and remediate attacks at a large scale across the enterprise. Having the ability to rapidly collect, detect and remediate across a network is a game changer for any Digital Forensics and Incident Response (DFIR) team. It provides unprecedented visibility into the state of the endpoint and the ability to tailor responses as the investigation evolves. Having this capability in an open-source tool that allows for truly surgical collection – at speed, at scale and free – is a triple bonus. Velociraptor is fast becoming the standard DFIR tool for hunting at scale. Featuring a powerful query language called VQL, allowing for rapidly adapting to fluid DFIR introsions, Velociraptor places unprecedented reach, flexibility and power in the hands of responders. Unlike more traditional remote forensic tools which collect large amounts of raw data for offline processing, VQL allows defenders to perform analysis directly on the endpoint. This new approach allows defenders to collect only high value, tactical information to affect their response, and leverage current state of the art digital forensic analysis techniques into detection. This talk will provide some examples of Velociraptor's use in typical DFIR scenarios, such as compromise assessment, wide spread remediation and rapid response. Specifically, we examine the process of going from a detection idea, writing the VQL to detect it and then hunting a large network (10k+ hosts) to identify the compromised hosts in minutes. Finally we illustrate how these custom detections can be elevated to real time monitoring rules (also implemented by VQL) to allow the endpoint to autonomously detect future compromises even while being offline! Velociraptor is the open source DFIR tool the industry has been crying out for - making large scale DFIR fast, efficient and surgical!