The new version of Cytomic Orion, which will be launched in the next few days, extends its core functionality with OSQuery to empower organizations to ask questions about many system entities, attributes, and states of all endpoints. It also broadens its coverage of the MITRE ATT&CK framework by delivering new behavior-based threat intelligence to customers for Linux endpoints and servers.

These new capabilities augment the existing ones on Cytomic Platform, which allows taking real-time remediation actions from the cloud, as well as simplifying operational detection and investigation, all from a single agent.

OSQuery accelerates the Threat Hunting and investigation processes_

There is a gap in security platforms, which lack the ability to make real-time inquiries across the entire endpoint fleet. By leveraging OSQuery in Cytomic Orion, the open-source tool used by hundreds of largest enterprises, we are filling this gap.

The OSQuery capability enables threat hunters and incident response (IR) teams to remotely acquire key investigation and forensic data that would normally require additional effort. It allows cybersecurity operational teams to accelerate the investigation and response by quickly discovering threat actors and by answering questions across their entire fleet of endpoints and determining the root cause of an incident.

The integration of OSQuery into Cytomic Orion provides access to more than  85 tables   (Windows)  to help analysts discover and analyze attacks to respond to incidents at a whole new level.

Each single OSQuery can be launched on just one subset of endpoints or massively on all organization’s endpoints or even on multiple customers’ endpoints allowing MSSPs to rapidly discover threat actors across their customers.

New Use Cases Enabled by OSQuery in Cytomic Orion_

Security analysts need immediate answers to critical questions across their entire fleet of endpoints during attacks. The number of new use cases that the OSQuery integration into Cytomic Orion enables, is endless. For example, it allows you to:

  • Inspect endpoints in real time: In addition to telemetry, which provides real-time activity visibility, analysts may need to inspect specific attributes, states, or conditions on endpoints, such as:
    •  If during an investigation the security team determines that credentials have been stolen, they can query all endpoints to see if and where the credentials have been used for attempted logins, and if and where these credentials are currently in use.
    • In Incident Response, when the analyst suspects that a malicious process is running on one or more endpoints, they can launch a query by name of the process or even by a file name.
  • Verify security policy compliance: Security analysts can use Cytomic Orion to automate queries of all endpoints and determine if all machines are at the right level of compliance. Additionally, to meet real-time or ongoing reporting needs, teams can use OSQuery to support operational reporting on patch levels, user privileges, disk-encryption status, along with many more possibilities.

The following query can be used to find devices who lack a specific vulnerability (CVE) hotfix:

  • Discover abnormal situations, such as the following:
    • It is common for malware to listen on a specific port to give direct access to the adversary’s command and control (C&C). Analysts can find new processes listening on a specific port by running this query:

And comparing the results to what is considered normal. It provides the security team with key information to initiate an investigation to determine the nature of that process.

    • Attackers often leave a malicious process running but delete the original file on disk. This query returns any process whose original file has been removed or modified (which could be an indicator of a suspicious process):

  • Installed programs in non-standard Windows locations (outside of C:/ Program files) may be an indication of an abnormal situation that requires analysis. This query gives us this information immediately:

  • Remediate Attacks in Real Time: Once an attack is identified, Cytomic Orion allows administrators to open a session within seconds to terminate processes, delete files, or execute a background process to remediate the threat in real-time – no matter where the compromised endpoints are located, greatly reducing any downtime that results from an attack.