Defcon 2024 - Cracking the Code: Fleet and Osquery

The Packet Hacking Village at DEFCON brought to life all the classic cybersecurity stereotypes we've seen in movies and TV shows. Imagine the scene: relentless techno beats spun by DJs, an overwhelming array of computers and servers, and streams of network traffic displayed as green text cascading down a giant screen for all to see. Everyone was intensely focused, heads down, hacking away or analyzing network traffic on their PCs. It felt like stepping into a Hollywood hacker’s mancave. The village also featured the infamous Wall of Sheep, an interactive display designed for education and awareness, highlighting the dangers of unsecured network traffic. Volunteers monitored the network at DEFCON, searching for anyone logging into websites or emails without encryption. Any personal information discovered was publicly displayed on the Wall of Sheep with private information redacted. This served as a stark reminder of what could happen if a malicious actor accessed their information.

There were tons of activities to explore, such as Capture the Packet, botnet workshops, password labs, and walkthrough workshops. I was particularly interested in the walkthrough workshops, as they didn’t require any registration, allowing me to participate in a self-guided journey to learn about Fleet Device Management. Fleet is an open-core, cross-platform solution that provides real-time insights using Osquery and GitOps-driven management for all devices. It empowers IT security and administrators by facilitating device investigation, mobile device management, and the implementation of standard compliance policies for remediation and updates. Additionally, Fleet enhances IT security with automated vulnerability management and security workflows within a single application. It requires no certification and offers seamless on-premise or cloud integration.

The Fleet workshop offered a unique scavenger hunt using Osquery. Osquery exposes the underlying system data as a relational database, allowing you to write SQL queries to investigate the system state. Cryptic Morse code messages were embedded across various operational, diagnostic, and communication systems managed in Fleet. I had to dive deep into each system, uncovering hidden clues that revealed secret passwords in Morse code. This exercise highlighted Osquery’s powerful features, such as running queries across multiple devices simultaneously to search for the Morse codes.

This workshop underscored the critical importance of being able to search and analyze logs quickly. Logs provide a wealth of information that can help identify unauthorized changes, track down security issues, and ensure compliance. The ability to efficiently query and analyze this data is essential for maintaining a secure and well-managed network.