In the far future of Flock, I'd like to add support for providing the server with a list of Indicators of Compromise (IOCs), and have the agents proactively alert on them. There are different types of IOCs, including:
File hashes
IP addresses
Hostnames
Email addresses?
The most straightforward type of IOC to tackle at first is file hashes. An administrator can give the server a list of file hashes. The agents can download this list of file hashes, and search their filesystems for them. If a file with an IOC hash is discovered, it can report it to the server, which can send notifications.
In this way, we can essentially search endpoints for malicious files, but only if we already have the hash, and we get no information related to any non-IOC files on their computers.
The process of building a local hash database of files, within Flock Agent, might be resource-intensive though, and should be designed with great care. (I wouldn't want, for example, the user to delete a file, but evidence of that file existing in some Flock Agent database.)
IP addresses are more complicated without monitoring traffic going over network devices (which is possible, but not as an unprivileged user). One option, for IP addresses, is to use osquery to select from the process_open_sockets table maybe once per minute, and see if there's an open socket to any IPs in the IOC list.
Hostnames are even more complicated, because we'd need to have visibility into what DNS queries are made (unless we monitor the network device). I think file hashes may be the most straightforward.
In the far future of Flock, I'd like to add support for providing the server with a list of Indicators of Compromise (IOCs), and have the agents proactively alert on them. There are different types of IOCs, including:
The most straightforward type of IOC to tackle at first is file hashes. An administrator can give the server a list of file hashes. The agents can download this list of file hashes, and search their filesystems for them. If a file with an IOC hash is discovered, it can report it to the server, which can send notifications.
In this way, we can essentially search endpoints for malicious files, but only if we already have the hash, and we get no information related to any non-IOC files on their computers.
The process of building a local hash database of files, within Flock Agent, might be resource-intensive though, and should be designed with great care. (I wouldn't want, for example, the user to delete a file, but evidence of that file existing in some Flock Agent database.)
IP addresses are more complicated without monitoring traffic going over network devices (which is possible, but not as an unprivileged user). One option, for IP addresses, is to use osquery to select from the
process_open_socketstable maybe once per minute, and see if there's an open socket to any IPs in the IOC list.Hostnames are even more complicated, because we'd need to have visibility into what DNS queries are made (unless we monitor the network device). I think file hashes may be the most straightforward.