Welcoming Yeti to the OSDFIR Infrastructure family

By
Authored by Thomas Chopitea and Wajih Yassine

Overview

We are excited to announce that Yeti is now available for use through the OSDFIR Infrastructure project.

        

What is Yeti?

Yeti aims to bridge the gap between Cyber Threat Intelligence (CTI) and Digital Forensics & Incident Response (DFIR) practitioners by providing a Forensics Intelligence platform and pipeline for DFIR teams. It was born out of the friction of having to repeatedly answer questions such as “where have I seen this artifact before?”, “how do I search for indicators of compromise (IOCs) related to this (or other) threats in my timeline?”, “what findings have I found useful in similar investigative scenarios?”.

The main goal of Yeti is not only to collect IOCs and Techniques, Tactics, and Procedures (TTPs) like a classic threat intelligence platform, but to also store and deliver DFIR intelligence such as useful queries, artifact locations, and methodologies. 

How does Yeti integrate with the rest of the OSDFIR stack?

Yeti integrates directly with Timesketch; a platform for collaborative forensic timeline analysis. The integration works in two key ways:

  • Automated searches of Yeti intelligence across Timesketch timelines

  • Importing newly discovered intelligence from Timesketch

For example, let’s say as part of a previous incident, you detect SSH brute force activity resulting in a successful login. In order to track evidence of a successful SSH login for future investigations, you add a new indicator into Yeti with a regular expression matching Accepted (publickey|password), indicating a successful SSH login as usually found in the auth.log files of a Unix system. 

During a new investigation, the Timesketch Yeti analyzer will:

  • query all documented Yeti intelligence and queries,

  • search for them across the available Timesketch timelines and

  • add the relevant tags specified in Yeti to matching events in Timesketch.

Running the Yeti Timesketch analyzer, a few hits for SSH login activity were tagged


The main search bar also has new additions:


You can click on the “Indicator matches for Successful SSH login” or the “successful-ssh-login” tag to filter out events highlighted by Yeti. Or, search for the tag:"successful-ssh-login" in the search bar to get the resulting hits.

When you identify new IOCs during an investigation you can quickly navigate to the Timesketch threat Intelligence view as shown in the screenshot below.

In the Threat Intelligence view you can add, edit, remove any items you deem unnecessary or irrelevant to the case. You can also click on the magnifying glass on the left to see all other events that match those IOCs. An example is shown in the next screenshot.

You then navigate back to to enable this as a feed (Yeti -> Feeds -> Enable the Timesketch feed).

Once the feed has run (you can manually refresh it using the refresh button), navigate back to the Entities menu, and you’ll see a new “Incident” entity, containing the relevant IOCs imported from Timesketch, which can then be used for any future investigation.

For a more detailed guide walking through using Yeti and Timesketch together, please refer to the Yeti Timesketch Investigation Guide.


The Benefits of deploying through OSDFIR Infrastructure

OSDFIR Infrastructure helps to fill that gap by streamlining the deployment, integration, maintenance, and scaling of multiple open-source DFIR tools. It provides the following key benefits:

  • Faster Deployment Times: Deployment can take a few minutes allowing responders to focus on more critical tasks.

  • Provides Consistent Configuration: Integration comes automatically, reducing risk of misconfiguration or human error.

  • Certified Deployments: No more looking at multiple tools documentation, reduces complexity from shared resources, centralized way to learn about many DFIR tools.

  • Easy to Scale: Can be installed on minimal resources and any component can be modularly scaled with a single command. Kubernetes autoscaling is a powerful feature.

  • Improves Reliability: Built-in Chart linting and testing. More ways to run integration tests to catch issues between them. Port-forwarding locally running applications is easy and reliable.

The benefits can also be summarized into the diagram below, where current processes require a lot of steps versus a single simplified deployment through OSDFIR Infrastructure.

Getting Started

To get started, please visit our getting started guide for setting up your own infrastructure locally on your machine using Minikube.

In summary

Connecting Timesketch with Yeti allows analysts to streamline and automate the sharing of DFIR intelligence across cases. However, setting the infrastructure up, configuring services, maintaining and testing deployment can be time-consuming and error-prone.

Kubernetes and HELM charts provide a turnkey solution that reduces the time and effort required to set up and maintain an effective incident response infrastructure. 

We hope this project serves as an accessible way for anyone to get started with open-source DFIR tools without spending hours of time setting them up to work together. The easiest way to stay up-to-date is by starring our repository or any of the tools mentioned above for tool-specific updates.  We would love to hear your feedback on how this works for you!

 

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can also be filled wit
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Before jump
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wider clust
Read more