Welcoming Yeti to the OSDFIR Infrastructure family

Authored by Thomas Chopitea and Wajih Yassine

Overview

We are excited to announce that Yeti is now available for use through the OSDFIR Infrastructure project.

        

What is Yeti?

Yeti aims to bridge the gap between Cyber Threat Intelligence (CTI) and Digital Forensics & Incident Response (DFIR) practitioners by providing a Forensics Intelligence platform and pipeline for DFIR teams. It was born out of the friction of having to repeatedly answer questions such as “where have I seen this artifact before?”, “how do I search for indicators of compromise (IOCs) related to this (or other) threats in my timeline?”, “what findings have I found useful in similar investigative scenarios?”.

The main goal of Yeti is not only to collect IOCs and Techniques, Tactics, and Procedures (TTPs) like a classic threat intelligence platform, but to also store and deliver DFIR intelligence such as useful queries, artifact locations, and methodologies. 

How does Yeti integrate with the rest of the OSDFIR stack?

Yeti integrates directly with Timesketch; a platform for collaborative forensic timeline analysis. The integration works in two key ways:

  • Automated searches of Yeti intelligence across Timesketch timelines

  • Importing newly discovered intelligence from Timesketch

For example, let’s say as part of a previous incident, you detect SSH brute force activity resulting in a successful login. In order to track evidence of a successful SSH login for future investigations, you add a new indicator into Yeti with a regular expression matching Accepted (publickey|password), indicating a successful SSH login as usually found in the auth.log files of a Unix system. 

During a new investigation, the Timesketch Yeti analyzer will:

  • query all documented Yeti intelligence and queries,

  • search for them across the available Timesketch timelines and

  • add the relevant tags specified in Yeti to matching events in Timesketch.

Running the Yeti Timesketch analyzer, a few hits for SSH login activity were tagged


The main search bar also has new additions:


You can click on the “Indicator matches for Successful SSH login” or the “successful-ssh-login” tag to filter out events highlighted by Yeti. Or, search for the tag:"successful-ssh-login" in the search bar to get the resulting hits.

When you identify new IOCs during an investigation you can quickly navigate to the Timesketch threat Intelligence view as shown in the screenshot below.

In the Threat Intelligence view you can add, edit, remove any items you deem unnecessary or irrelevant to the case. You can also click on the magnifying glass on the left to see all other events that match those IOCs. An example is shown in the next screenshot.

You then navigate back to to enable this as a feed (Yeti -> Feeds -> Enable the Timesketch feed).

Once the feed has run (you can manually refresh it using the refresh button), navigate back to the Entities menu, and you’ll see a new “Incident” entity, containing the relevant IOCs imported from Timesketch, which can then be used for any future investigation.

For a more detailed guide walking through using Yeti and Timesketch together, please refer to the Yeti Timesketch Investigation Guide.


The Benefits of deploying through OSDFIR Infrastructure

OSDFIR Infrastructure helps to fill that gap by streamlining the deployment, integration, maintenance, and scaling of multiple open-source DFIR tools. It provides the following key benefits:

  • Faster Deployment Times: Deployment can take a few minutes allowing responders to focus on more critical tasks.

  • Provides Consistent Configuration: Integration comes automatically, reducing risk of misconfiguration or human error.

  • Certified Deployments: No more looking at multiple tools documentation, reduces complexity from shared resources, centralized way to learn about many DFIR tools.

  • Easy to Scale: Can be installed on minimal resources and any component can be modularly scaled with a single command. Kubernetes autoscaling is a powerful feature.

  • Improves Reliability: Built-in Chart linting and testing. More ways to run integration tests to catch issues between them. Port-forwarding locally running applications is easy and reliable.

The benefits can also be summarized into the diagram below, where current processes require a lot of steps versus a single simplified deployment through OSDFIR Infrastructure.

Getting Started

To get started, please visit our getting started guide for setting up your own infrastructure locally on your machine using Minikube.

In summary

Connecting Timesketch with Yeti allows analysts to streamline and automate the sharing of DFIR intelligence across cases. However, setting the infrastructure up, configuring services, maintaining and testing deployment can be time-consuming and error-prone.

Kubernetes and HELM charts provide a turnkey solution that reduces the time and effort required to set up and maintain an effective incident response infrastructure. 

We hope this project serves as an accessible way for anyone to get started with open-source DFIR tools without spending hours of time setting them up to work together. The easiest way to stay up-to-date is by starring our repository or any of the tools mentioned above for tool-specific updates.  We would love to hear your feedback on how this works for you!

 

Comments

Popular posts from this blog

Parsing the $MFT NTFS metadata file

Incident Response in the Cloud

Container Forensics with Docker Explorer