This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.

Summary

DS-1346
diffy
External Tool
External Data Source
GitHub
Unknown
Unknown
55 (lowest rank is 55)

Category & Restrictions

Other
forensics, cyber defense
Unrestricted
true

Description


Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).
Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. "Diffy" helps human investigators identify the differences between instances. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.

Diffy is a differencing engine for digital forensics and incident response (DFIR) in the cloud. Collect data across multiple virtual machines and use variations from a baseline, and/or clustering, to scope a incident.

Features:
- Efficiently highlights outliers in security-relevant instance behavior. For example, you can use Diffy to tell you which of your instances are listening on an unexpected port, are running an unusual process, include a strange crontab entry, or have inserted a surprising kernel module.

- Uses one, or both, of two methods to highlight differences:
Collection of a "functional" baseline from a "clean" running instance, against which your instance group is compared, and
Collection of a "clustered" baseline, in which all instances are surveyed, and outliers are made obvious.

- Uses a modular plugin-based architecture. The program includes plugins for collection using osquery via AWS Systems Manager (formerly known as Simple Systems Manager or SSM).

Additional Details

1.1MB
false
Unknown
digital forensics, cybercrime, virtualization software, computer memory, diffy, inferlink corporation, amazon web services, netflix, baseline, amazon, external data source, 1346, virtual machine, memory module, software project management