The times of pandemic have taught us one thing (something we knew but never really bothered as much) and that is how critical it is to regularly monitor one's vitals. From a "30-second-hold-your-breath" to "smart pulse-oxymeters", everyone is doing whatever they can, based on the access to tools and resources one has.
Well, believe it or not but in the cyber-world "pandemics" happen all the time. Most of us never get to know of them because we are kept protected by a gamut of products and services our respective organizations have invested in to keep our devices and networks safe. And yet breaches are not unusual.
With remote working transitions, the COVID times have pushed us further from these security layers. Sure, once we get connected to the corporate networks, there is a level of security that gets enforced but the surface on which we are connected through our home/private wi-fi to the secure network has increased. The amount of emails we are reading when not connected on secure networks have gone up. The amount of web we browse when not connected to enterprise security has gone up. With the device often being shared by a family member for school work (as schools are running online), checking travel restrictions in different parts of the country or maybe for streaming Netflix, all of this has opened up a much larger surface of attack for our devices, the same devices that are also used for our professional work and which get connected to main network without any rules of a mandatory quarantine because there is no equivalent mechanism of regular monitoring to see if the 'temperature was high' or 'oxygen levels were low'.
The rise in the cyber attacks in the times of Covid, therefore, does not come as a surprise. At EclecticIQ, we have published the information about such attacks on a weekly basis.
Monotoring Tool PolyMon
Now we are announcing our monitoring tool, "PolyMon". PolyLogyx Monitoring Agent (PolyMon) is a Windows software that leverages the osquery tool and the PolyLogyx Extension to osquery, to provide a view into detailed information about process creations, network connections, file system changes, security critical event logs and many other activities on the system. In simpler terms, it is a tool that will help you monitor the vitals of your system. So for example if there is an EclecticIQ that says that we are witnessing a rise in "RDP brute force attacks", which take place by scanning the internet for RDP port 3389, you could simply fire up the PolyMon tool, navigate to "Socket Events" [that captures all the interesting socket connections on your device] and search to see if: port 3389 is open on your system and if there was a connection made on it.
Not only EclecticIQ but most threat intelligence companies that publish their advisories which contain the TTPs and IoC (e.g file hashes, process names, registry entries, so on and so forth) for the recent most discovered breaches, can now be easily searched for in your computer to come to a conclusion if the system witnessed any kind of breach, or even an attempt.
Attackers often can go after other devices at your home e.g. your router and serve all kinds of unwanted content by manipulating your DNS settings. With PolyMon, you can actually check if the DNS resolutions on your device is happening correctly or not. Simply navigate to "DNS Response Events" tab which shows the URL and what IP address did it resolve to. Then by making use of any 3rd party service (e.g whois) you can make a deduction if the URLs are getting resolved to the right IPs or not.
The software can also be optionally provisioned with a free VirusTotal (link to VirusTotal) API and that will allow it to fetch the reputation of the files created or modified on your system, essentially giving you a personal EDR tool.
Windows operating system by itself generates a series of logs in its event log. And while it has a nice user interface to it (called Event Viewer), searching logs of importance out of it can be problem of 'needle in the haystack'. PolyMon simplifies the job for you again. SANS Institute has published a list of event logs that should regularly monitored as security critical events. With one click on PolyMon you could get all those logs fetched right away from the vast ocean of event logs.
The software allows you to generate the profile of your endpoint that can be shared with a security expert of your organization, should you feel a need to do so. If you are an advanced osquery user, you will find that it gives a very nice way to investigate enormously different kinds of properties of your endpoint, as the underlying engine of the tool is built on osquery. Easy peasy.
Here is the best part. All this monitoring data that the software collects, stays locally. On your Device. So yes, you own your data. It is not uploaded on any cloud service. It doesn't leave your system and it will only collect what you ask it to.
Looks like Christmas did indeed come early. With that, we invite you to try out the latest offering from the stable of EclecticIQ to our DFIR friends, IR friends, MSSP friends, IT friends, and you (the computer user) to try our PolyMon software. As always we invite your feedback, suggestions for improvement, criticism and if nothing else then a general "Hello". Feel free to reach out to us.
Download the software here.