Exciting news! Rapid7 has acquired a digital forensics and incident response (DFIR) framework. Velociraptor is an open-source project that allows for hunting across thousands of hosts to provide actionable data in minutes and unprecedented visibility into the state of endpoints.
A cyberattack can cease operations for hours, days, or weeks, and cause collateral damage and information leaks that can last even longer. Too often, organizations don’t realize they’ve been breached until the IT environment is infected or they have compromised or lost data. If this has you wondering how many of your endpoints are compromised, then read on.
Velociraptor was introduced just a few years ago, developed by Mike Cohen—an information security specialist in digital, network, and memory forensics—along with his fellow community contributors. At Google, Mike worked on tools in support of the incident response team, including advanced incident response and remote forensics tool Google Rapid Response (GRR), and memory analysis and forensic framework Rekall. Now, Mike joins the Detection and Response team at Rapid7, where he will get the support to further build and expand the Velociraptor community.
Rapid7 is a big believer in open-source software and communities since it enables faster time-to-market, expands access to innovation, and increases productivity. Rapid7 has a track record of investing in, contributing to, and building on open source. We first began investing in the open-source community 12 years ago when Rapid7 acquired Metasploit. Since then, Metasploit has continued to thrive and is one of the most consistently active open-source offensive security projects and communities in the world. We also created AttackerKB, a community-driven platform where security professionals can exchange information about vulnerabilities to better understand the impact and likelihood of being exploited, and Recog, which helps security practitioners manage the risk internet-connected devices can introduce by giving them visibility into what technology is present in their ecosystems.
As we take on the stewardship of the Velociraptor project, we want the community to know that we’re committed to helping it grow and thrive through expanded events, projects, engagement, contributions, and more. We also plan to embed the Velociraptor Project into the Rapid7 Insight platform, allowing our customers to benefit from this amazing technology and community.
The Velociraptor standalone offering allows incident response teams to rapidly collect and examine artifacts from across a network, and deliver forensic detail following a security incident. In the event of an incident, an investigator controls the Velociraptor agents to hunt for malicious activity, run targeted collections, perform file analysis, or pull large data samples. The Velociraptor Query Language (VQL) allows investigators to develop custom hunts to meet specific investigation needs.
Users benefit with:
- Access to a free open-source solution. Lower cost of ownership has been a primary reason for organizations to consider open-source software.
- Forensic analysis at the endpoint. VQL enables automated and surgical analysis to be done on the endpoint, hunting threats at scale in minutes without affecting endpoint performance.
- Knowledge sharing. Queries shared within the community enable lower-skilled users to take advantage of queries written by more experienced DFIR experts.
- Surgical collection at speed and scale. Efficiently triage and rapidly analyze forensic evidence to determine root cause quickly.
- Accelerated mean time to detect (MTTD) and mean time to respond (MTTR). Large-scale proactive hunting within minutes allows users to quickly action tactical interventions and remediation, limiting potential damage.
- Support for Linux, Windows, and macOS.
- Powerful VQL query language. Investigators define artifacts to collect and hunt endpoints without needing to modify any of the source code or deploy additional software, adapting queries quickly in response to shifting threats and new information gained through the investigation.
There are no plans for Rapid7 to make Velociraptor a commercial offering; however, we do plan to leverage the technology in our detection and response portfolio. As a first step to integrating Velociraptor into the Rapid7 Insight platform, we’ve already embedded Velociraptor’s endpoint data collection capabilities into our Insight agent, saving critical time as our MDR team pivots from monitoring their environment to responding to an incident. Our MDR analysts can actively search for suspicious activities using a library of Velociraptor VQL queries that can be customized to specific threat hunting needs. If a serious event occurs on an endpoint, MDR analysts can trigger an automated response to collect evidence, silently terminate the malicious activity, or lock down endpoints and accounts completely.
We can’t wait to get engaged with the Velociraptor community. Rapid7’s participation will let us discover needs and experiment with solutions at scale; gather input to update and improve code; crowdsource new requirements, use cases, and feature ideas for non-commercial and commercial offerings.
We also believe we can foster community and grow participation in the Velociraptor ecosystem. So, let’s start now. Download Velociraptor on GitHub and let us know what you think!