MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. |
MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.
It's an army of Sherlock Holmes, ready to interrogate your infrastructure within seconds.
Capability | Linux | MacOS | Windows |
---|---|---|---|
file inspection | |||
network inspection | (partial) | ||
memory inspection | |||
vuln management | (planned) | (planned) | |
system auditing | (planned) | (planned) | (planned) |
Imagine that it's 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise. Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.
MIG can help. The signature of the vulnerable PHP app (an md5 of a file, a regex
on file, or just a filename) can be searches for across all your systems using
the file
module. Similarly, indicators of compromise such as specific log
entries, backdoor files with {md5,sha{1,256,512,3-{256,512}}} hashes, IP
addresses from botnets or signature in processes memories can be investigated
using MIG. Suddenly, your weekend is looking a lot better. And with just a few
command lines, thousands of systems will be remotely investigated to verify that
you're not at risk.
Concepts
Easy to deploy, easy to operate
MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.
Fast and asynchronous
MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.
Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.
Strong security primitives
Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.
MIG Action Format
Mozilla InvestiGator uses signed JSON actions that represent the investigation operation performed by a pool of agents. The JSON format is designed to be easy to read and easy to write without the help of a program. The long term goal is to allow investigators to share documents easily.
{ "name": "Shellshock IOCs (nginx and more)", "target": "queueloc like 'linux.%'", "threat": { "family": "malware", "level": "high" }, "operations": [ { "module": "file", "parameters": { "searches": { "iocs": { "paths": [ "/usr/bin", "/usr/sbin", "/bin", "/sbin", "/tmp", "/var/tmp" ], "sha256": [ "73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489", "ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b", "2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614", "2ff32fcfee5088b14ce6c96ccb47315d7172135b999767296682c368e3d5ccac", "1f5f14853819800e740d43c4919cc0cbb889d182cc213b0954251ee714a70e4b", "2bc9a2f7374308d9bb97b8d116177d53eaca060b562f6f66f5dd1af71c9d7a66" ], "contents": [ "/bin/busybox;echo -e '\\\\147\\\\141\\\\171\\\\146\\\\147\\\\164'", "legend.rocks" ], "names": [ "legend.txt" ] } } } }, { "module": "netstat", "parameters": { "connectedip": [ "108.162.197.26", "162.253.66.76", "89.238.150.154", "198.46.135.194", "166.78.61.142", "23.235.43.31", "54.228.25.245", "23.235.43.21", "23.235.43.27", "198.58.106.99", "23.235.43.25", "23.235.43.23", "23.235.43.29", "108.174.50.137", "201.67.234.45", "128.199.216.68", "75.127.84.182", "82.118.242.223", "24.251.197.244", "166.78.61.142", "119.110.98.93", "2.0.1.5" ] } } ], "description": { "author": "Julien Vehent", "email": "ulfr@mozilla.com", "revision": 201410031030 }, "syntaxversion": 2 }
Clients
Command Line
The command line is the primary interface of MIG Investigators. It provides the basic set of commands to create investigations, sign them, publish them to the API, and parse the results.
Console
The console is the terminal interface that allows investigators to control MIG. It is terminal based, and runs on Linux and MacOS.