Yosker is an agent application that monitors
and protect kiosk stations. It is designed as a
dedicated IDS\IPS for kiosk stations

The product is conducted from 3 main modules

Data Collection

Example

Send various protocols
requests to known responding servers

Analysis

Example

Determine by responses
if and which internet access
is possible, create event
“Internet Access”

Alert \ Report

Example

Check event severity
and local config to validate
event is not surpressed.
Send event to ELK stack

Data Collection

Yosker collect data in many forms

Local System

 
  • Connector.Connector.

    Environment

  • Connector.Connector.

    System Info

  • Connector.Connector.

    WMI

  • Connector.Connector.

    Registry

  • Connector.Connector.

    Files

  • Connector.Connector.

    Hooking on OS events

  • Connector.Connector.

    Opened ports

  • Connector.Connector.

    Network Traffic(in the future)

 

Access to remote services

 
  • Connector.

    Internet Connection in various protocols (ICMP, DNS, HTTP, Proxy HTTPs and more)

  • Connector.

    Scanning surrounding network for hosts, shares and services

  • Connector.

    Searching access to servers such as AD, SQL etc.

 

Analysis

Adding and analyzing this data, Yosker create events based on scoring.
Using these events Yosker is trying to determine whether a risk is prominent or not.

Yosker looking for two different types of risk

Topology Risk

Real Time Attack attempt

Topology Risk

Using the above score Yosker is looking to determine if
the station is and how it is:

 

Connected to
the internet

Connected to organizational network \ Domain

Connected to sensitive servers \ services

Internet connection might be fully opened, or just to specific protocols.
If only DNS is fully opened to any IP address on the web – there is still a potential for using DNS tunneling attack, but it is less likely and more complicated to execute.

Yosker can find on scan several hosts with shared folders, but if an AD server is not accessible to the Kiosk station the potential risk is lower than a full blown domain access.

 
 

Combining those two scored events, the Analysis module provide an alert with given severity.