Home Unlabelled Mig - Distributed In Addition To Existent Fourth Dimension Digital Forensics At The Speed Of The Cloud

Mig - Distributed In Addition To Existent Fourth Dimension Digital Forensics At The Speed Of The Cloud

By
Thursday, September 05, 2013
Read
Add Comment

MIG is Mozilla's platform for investigative surgery of remote endpoints.

Quick Start w/ Docker
You tin spin upwards a local-only MIG setup using docker. The container is non suitable for production purpose but lets you lot experiment amongst MIG quickly, providing a unmarried container environs that has virtually of the MIG components available.
To describe from Docker Hub:
$ docker describe mozilla/mig $ docker run -it mozilla/mig
Or, if you lot get got the source checked out inward your GOPATH you lot tin construct your ain image:
$ cd $GOPATH/src/github.com/mozilla/mig $ docker construct -t mozilla/mig:latest . $ docker run -it mozilla/mig
Once within the container, you lot tin purpose the MIG tools to query a local agent, equally such:
mig@5345268590c8: $ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f 1 agents volition live targeted. ctrl+c to cancel. launching inward five iv three 2 1 GO Following activity ID 7978299359234.  1 / 1 [=========================================================] 100.00% 0/s4s 100.0% done inward 3.029105958s 1 sent, 1 done, 1 succeeded ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] inward search 's1' 1 agent has constitute results
To explore the capabilities of MIG, accept a hold off at the CheatSheet.

What is this?
MIG is composed of agents installed on all systems of an infrastructure that are live queried inward real-time to investigate the file-systems, network state, retentivity or configuration of endpoints.
Capability Linux MacOS Windows
file inspection yes yes yes
network inspection yes yes (partial)
memory inspection yes yes yes
vuln management yes (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing yes (planned) (planned)
Imagine it is 7am on a saturday morning, too individual only released a critical vulnerability for your favorite PHP application. The vuln is already exploited too safety groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, too the idea of manually inspecting thousands of systems isn't making it whatsoever better.
MIG tin help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or only a filename) tin live searched for across all your systems using the file module. Similarly, IOCs such equally specific log entries, backdoor files amongst md5 too sha1/2/3 hashes, IP addresses from botnets or byte strings inward processes memories tin live investigated using MIG. Suddenly, your weekend is looking a lot better. And amongst only a few commands, thousands of systems volition live remotely investigated to verify that you're non at risk.


MIG agents are designed to live lightweight, secure, too tardily to deploy too then you lot tin inquire your favorite sysadmins to add together it to a base of operations deployment without fearfulness of breaking the entire production network. All parameters are built into the agent at compile time, including the listing too ACLs of authorized investigators. Security is enforced using PGP keys, too fifty-fifty if MIG's servers are compromised, equally long equally our keys are rubber on your investigator's laptop, no i volition interruption into the agents.
MIG is designed to live fast, too asynchronous. It uses AMQP to distribute actions to endpoints, too relies on Go channels to forestall components from blocking. Running actions too commands are stored inward a Postgresql database too on disk cache, such that the reliability of the platform doesn't depend on long-running processes.
Speed is a potent requirement. Most actions volition solely accept a few hundreds milliseconds to run on agents. Larger ones, for illustration when looking for a hash inward a large directory, should run inward less than a infinitesimal or two. All inward all, an investigation commonly completes inward betwixt 10 too 300 seconds.
Privacy too safety are paramount. Agents never post raw information dorsum to the platform, but solely respond to questions instead. All actions are signed yesteryear GPG keys that are non stored inward the platform, hence preventing a compromise from taking over the entire infrastructure.

Technology
MIG is built inward Go too uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ too stored inward a Postgres database.
It is:
  • Massively Distributed way Fast.
  • Simple to deploy too Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy yesteryear never retrieving raw information from endpoints.
Check out this 10 minutes video for a to a greater extent than full general presentation too a exhibit of the console interface.


MIG was of late presented at the SANS DFIR Summit inward Austin, Tx. You tin scout the recording below:


Discussion
Join #mig on irc.mozilla.org (use a spider web customer such equally mibbit).

Documentation
All documentation is available inward the 'doc' directory too on http://mig.mozilla.org .


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us