Forensic Activities with Bigfix!How BigFix Helps Investigate a Threat in Forensic Activities
BigFix is a fundamental tool to help you in Forensic Activities.
With the BigFix Relevance language, you can implement and perform many checks to detect a computer attack or security exposure.
An example of an attack that might compromise a computer is the combination of the following actions:
- Create a registry key whose value contains an IP address, such as 192.168.100.*
- Start a process that listens on port 1234.
- Install a file in the Windows system folder that has a well-defined md5 hash and a name that can be represented by the regular expression ^hack.*
You can continuously monitor a computer status creating an analysis that collects properties related to attack actions.
You can set up BigFix to deliver a periodic report, sent to an email inbox, about the status of that analysis on the computers in the environment without you having to check the BigFix console every day. You can remediate exposures by running an ad hoc Fixlet to clean up any computer that is affected by the hack, for example, consider an action that deletes the registry key.
Relevance to execute Forensics IOC checks
Forensics identifies checks that detect exposures through Indicators Of Compromise
(IOC). You can use the Relevance language to map IOC checks.
Discover How to convert an OpenIOC document into a Fixlet and the mapping between OpenIOC terms and the Relevance language.
Use Yara from BigFix
Yara is an open source malware identification tool that uses rules based on text or binary patterns to look for malware signatures in files. You can produce BigFix tasks that install Yara on target endpoints and run Yara rules.
Use following keywords foresic openIOC malware to find and upload content related for Forensic Activities on bigfix.me .
Useful links:Is Your Endpoint Strategy Keeping You Secure?
Bigfix Security Strategy
Investigating threats with Bigfix