Nov 28 2024

5 cybersecurity open-source tools 

Category: Open Sourcedisc7 @ 7:53 am

1. MISP (Malware Information Sharing Platform & Threat Sharing)

  • Purpose: Designed to facilitate sharing threat intelligence between organizations, MISP is invaluable for building a collaborative defense strategy against cyber threats.
  • Key Features:
    • Collects, stores, and shares indicators of compromise (IOCs) efficiently.
    • Supports STIX/TAXII for standardized threat intelligence sharing.
    • Offers real-time alerts, advanced tagging, and classification of incidents.
  • Use Case: Organizations use MISP to streamline incident response and threat intelligence management, making it a cornerstone of cybersecurity strategies.
  • Learn More: MISP Project

2. OSForensics

  • Purpose: A digital forensics tool enabling investigators to uncover critical evidence from digital devices.
  • Key Features:
    • Recovers deleted files, emails, and passwords from devices.
    • Tracks USB interactions and recently accessed websites.
    • Supports memory forensics with tools like Volatility Workbench.
    • Generates detailed forensic reports.
  • Use Case: Widely used in legal investigations, incident response, and by forensic professionals to analyze compromised systems.
  • Learn More: OSForensics

3. ELK Stack (Elasticsearch, Logstash, Kibana)

  • Purpose: A highly adaptable SIEM solution for monitoring, detecting, and analyzing security threats.
  • Key Features:
    • Elasticsearch indexes and searches log data.
    • Logstash processes and enriches the log data from multiple sources.
    • Kibana visualizes security metrics and logs with interactive dashboards.
    • Provides seamless scaling for growing datasets and integration with third-party tools.
  • Use Case: Ideal for enterprises needing real-time log analysis and monitoring to proactively address threats.
  • Learn More: Elastic.co

4. AlienVault OSSIM

  • Purpose: Combines open-source tools into a cohesive SIEM platform for comprehensive security monitoring.
  • Key Features:
    • Asset discovery and vulnerability assessment.
    • Intrusion detection (IDS/HIDS) and behavioral anomaly detection.
    • Incident response with robust reporting tools.
  • Use Case: Suitable for small to medium businesses looking for affordable yet powerful threat detection capabilities.
  • Learn More: AlienVault OSSIM

5. FreeIPA

  • Purpose: An IAM tool tailored for centralized authentication, authorization, and account management in Linux/UNIX environments.
  • Key Features:
    • Built-in SSO via Kerberos.
    • Integration with DNS and certificate management.
    • Offers both CLI and GUI options for flexibility.
  • Use Case: Enterprises needing streamlined IAM solutions for securing access across Linux-based systems.
  • Learn More: FreeIPA

Here are some implementation tips for the highlighted tools:


1. MISP

  • Initial Setup:
    • Deploy MISP on a Linux server (CentOS, Ubuntu, or Debian). Prebuilt virtual machines are also available.
    • Use Docker containers for easier installation and maintenance.
    • Configure database settings and enable HTTPS for secure communication.
  • Best Practices:
    • Regularly update the taxonomy and tags for organizing IOCs.
    • Leverage the API to integrate MISP with SIEMs or ticketing systems.
    • Use its sharing groups feature to limit access to sensitive threat intelligence.
  • Resources:

2. OSForensics

  • Deployment:
    • Install on a forensic workstation or USB stick for portable use.
    • Combine with additional forensic tools like FTK or EnCase for broader capabilities.
  • Tips:
    • Use OSFClone to create disk images for analysis without modifying evidence.
    • Regularly train staff on the Volatility Workbench module for memory forensics.
    • Automate reporting templates for quicker investigations.
  • Resources:

3. ELK Stack

  • Installation:
    • Set up Elasticsearch, Logstash, and Kibana on Linux. Docker and Helm charts for Kubernetes simplify deployment.
    • Use Filebeat to collect logs from endpoints and forward them to Logstash.
  • Optimization:
    • Configure indices carefully to handle high-volume logs.
    • Implement role-based access control (RBAC) for Kibana to secure dashboards.
    • Enable alerts and anomaly detection using Kibana’s machine learning features.
  • Resources:

4. AlienVault OSSIM

  • Setup:
    • Install on-premises or use its hosted version. The installation ISO is available on its website.
    • Configure plugins for data collection from firewalls, IDS/IPS, and endpoint devices.
  • Usage Tips:
    • Regularly update correlation rules for detecting modern threats.
    • Use its vulnerability scanner to complement other risk assessment tools.
    • Train analysts to leverage its HIDS/IDS for actionable insights.
  • Resources:

5. FreeIPA

  • Installation:
    • Deploy FreeIPA on a Linux-based system. Red Hat-based distributions offer built-in packages.
    • Integrate with Active Directory for hybrid environments.
  • Best Practices:
    • Configure Kerberos for single sign-on and enable password policies.
    • Regularly monitor and audit access logs using built-in features.
    • Secure FreeIPA with SELinux and periodic updates.
  • Resources:

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Checkout previous posts on Open Source here

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: open source tools


Apr 30 2024

Tracecat: Open-source SOAR

Category: Open Source,Security Toolsdisc7 @ 7:11 am

Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.

Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:

  • Find cases using semantic search
  • MITRE ATT&CK labels
  • Whitelist / blacklist identities
  • Categorize related cases
  • MITRE D3FEND suggestions
  • Upload evidence and threat intel

Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.

While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.

Turn security alerts into solvable cases:

  • Click-and-drag workflow builder â€“ Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
  • Built-in case management system â€“ Open cases direct from workflows. Track and manage security incidents all-in-one platform.

Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK(TM) Framework and open source tools

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Tracecat


Apr 04 2024

Mantis: Open-source framework that automates asset discovery, reconnaissance, scanning

Category: Open Network,Open Source,OSINTdisc7 @ 7:53 am

Mantis features

The framework conducts reconnaissance on active assets and completes its operation with a scan for vulnerabilities, secrets, misconfigurations, and potential phishing domains, utilizing open-source and proprietary tools.

Some of the features that make Mantis stand out are:

  • Automated discovery, recon, and scan
  • Distributed scanning (split a single scan across multiple machines)
  • Scan customization
  • Dashboard support
  • Vulnerability management
  • Advanced alerting
  • DNS service integration
  • Integrate new tools (existing and custom) in minutes

“Last year, we explored open-source frameworks our organization can use to monitor assets. We wanted to set up an asset discovery framework that allows us to add custom scripts, enable or disable tools to run based on configs, scale, and deploy the framework across a cluster of VMs. We also wanted to find a way to ingest domains from DNS services into our databases. This led us to create Mantis, an asset discovery framework that could help bug bounty hunters as well as security teams,” Prateek Thakare, lead developer of Mantis, told Help Net Security.

System requirements

  • Supported OS: Ubuntu, macOS
  • 4GB RAM
  • 2 cores
  • 16GB of storage

Mantis is CPU intensive, so it’s advisable to run it on a dedicated virtual machine.

Future plans and download

“We are planning to have our dashboard making it easier to view and monitor the assets. We will also work on improvising the discovery, recon, and scan process by adding new tools and custom scripts,” Thakare concluded.

Mantis is available for free on GitHub.

The OSINT Handbook: A practical guide to gathering and analyzing online information

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Mantis, Open-source framework