ITG expertly curated ISO 27001 documentation toolkit provides ready-to-use templates, saving you the effort of building everything from scratch. Developed by experienced ISO 27001 consultants and subject matter experts, this toolkit has a strong track record of guiding organizations to certification. Join the thousands of organizations that trust our toolkit for a reliable path to ISO 27001 compliance.
Easily handle ISMS (Information Security Management System) documentation with our streamlined templates and tools, designed to simplify the creation and management of critical documents, making ISO 27001 compliance straightforward and efficient.
For organizations dedicated to safeguarding sensitive data, our ISO 27001 Toolkit is an invaluable resource, helping you navigate ISO 27001 requirements with ease and confidence.
Linux admin tools help administrators manage and optimize Linux systems efficiently. They handle system monitoring, configuration, security management, and task automation. These tools streamline administrative tasks, improve performance, and enhance system security. The list also features monitoring utilities like Htop, Monit, and network tools like Iftop, ensuring administrators maintain stable, high-performing Linux environments.
Popular tools include:
Here Are The Top Linux Admin Tools
Webmin – Web-based interface for system administration, managing users, services, and configurations.
Puppet – Configuration management tool automating server provisioning, configuration, and management.
Zabbix – Open-source monitoring tool for networks, servers, and applications with alerting and reporting features.
Nagios – A network monitoring tool that provides alerts on system, network, and infrastructure issues.
Ansible – IT automation tool for configuration management, application deployment, and task automation using YAML.
Lsof – A command-line utility that lists open files and the processes used to use them.
Htop – Interactive process viewer for Unix systems, offering a visual and user-friendly alternative to the top command.
Redmine – Web-based project management and issue tracking tool, supporting multiple projects and teams.
Nmap – A network scanning tool for discovering hosts and services on a network that provides security auditing.
Monit – Utility for managing and monitoring Unix systems, capable of automatic maintenance and repair.
Nmon – Performance monitoring tool providing insights into CPU, memory, disk, and network usage.
Paessler PRTG – Comprehensive network monitoring tool with a web-based interface supporting SNMP, WMI, and other protocols.
GNOME System Monitor – Graphical application for monitoring system processes, resources, and file systems.
The article lists 33 open-source cybersecurity tools designed to improve security for various platforms, including Linux, Windows, and macOS. These tools cover a wide range of security needs, from identity management and encryption to vulnerability scanning, threat intelligence, and forensic analysis. Examples include Authentik for identity management, Grype for vulnerability scanning, and MISP for threat intelligence sharing. These solutions offer flexibility and transparency, enabling organizations to customize their security infrastructure.
Open-source cybersecurity tools provide transparency and flexibility, allowing users to examine and customize the source code to fit specific security needs. These tools make cybersecurity accessible to a broader range of organizations and individuals.
In this article, you will find a list of 33 open-source cybersecurity tools for Linux, Windows, and macOS that you should consider to enhance protection and stay ahead of potential threats.
By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop.
“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” David Weston, Microsoft’s VP of Enterprise and OS Security, stated on Saturday.
CrowdStrike claimed earlier today that “a significant number” of affected systems are back online and operational.
“Together with customers, we tested a new technique to accelerate impacted system remediation. We’re in the process of operationalizing an opt-in to this technique,” they noted on their remediation and guidance hub. “Customers are encouraged to follow the Tech Alerts for latest updates as they happen and they will be notified when action is needed.”
Microsoft collaborates with Crowdstrike, provides recovery tool
Microsoft is, understandably, doing everything it can to speed up worldwide recovery from the issue, has deployed hundreds of Microsoft engineers and experts to work with customers to restore services, and is collaborating with CrowdStrike.
“CrowdStrike has helped us develop a scalable solution that will help Microsoft’s Azure infrastructure accelerate a fix for CrowdStrike’s faulty update. We have also worked with both AWS and GCP to collaborate on the most effective approaches,” Weston explained.
Microsoft has also released a recovery tool that can be downloaded and used by IT admins to make the repair process less time-consuming.
The tool provides two repair options.
The first one – Recover from WinPE (Preinstallation Environment) – does not require local admin privileges, but requires the person to manually enter the BitLocker recovery key (if BitLocker is used on the device).
The second one – Recover from safe mode – may allow recovery without entering the BitLocker recovery keys.
“For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown,” the Intune Support Team noted.
They also included detailed recovery steps for Windows clients, servers, and OSes hosted on Hyper-V.
Microsoft has previously confirmed that the buggy CrowdStrike update affected Windows 365 Cloud PCs and that users “may restore their Windows 365 Cloud PC to a known good state prior to the release of the update (July 19, 2024)”. The company has also provided guidance for restoring affected Azure virtual machines.
Cloud security company Orca has released a script that automates the remediation of Windows virtual machines hosted on AWS.
Threat actor exploiting the situation
As expected, scammers and threat actors have immediately started taking advantage of the chaos that resulted from the faulty update.
Trend Micro researchers provided examples of tech support scams doing the rounds, and even legal scams.
Phishers and vishers impersonating CrowdStrike support and contacting customers
Scammers posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels,” the company said.
UPDATE (July 23, 2024, 05:15 a.m. ET):
CrowdStrike has provided a way for remediating affected systems more quickly. Customers must opt in to use the technique via the support portal. (A Reddit user has explained the process involved.)
The company has also released a video explaining how users can self-remediate affected remote Windows laptops.
While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.
The multitude of ports makes it difficult to monitor for malicious traffic.
Weak credentials and software vulnerabilities are exploited to gain access to user systems.
Hackers may also use technical support scams to trick users into granting access.
The Most Targeted Remote Desktop Tools In The Last 12 Months
Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).
The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass.
Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.
The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.
VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions.
Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China.
Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC.
Flaws Exploited
In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software, and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda.
Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks.
In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.
North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques.
TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication.
Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams.
Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities.
AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.
Tracecat is an open-source automation platform for security teams. The developers believe security automation should be accessible to everyone, especially understaffed small- to mid-sized teams. Core features, user interfaces, and day-to-day workflows are based on existing best practices from best-in-class security teams.
Use specialized AI models to label, summarize, and enrich alerts. Contextualize alerts with internal evidence and external threat intel:
Find cases using semantic search
MITRE ATT&CK labels
Whitelist / blacklist identities
Categorize related cases
MITRE D3FEND suggestions
Upload evidence and threat intel
Tracecat is not a 1-to-1 mapping of Tines / Splunk SOAR. The developers aim to give technical teams a Tines-like experience but with a focus on open-source and AI features.
While Tracecat is designed for security, its workflow automation and case management system are also suitable for various alerting environments, such as site reliability engineering, DevOps, and physical systems monitoring.
Turn security alerts into solvable cases:
Click-and-drag workflow builder – Automate SecOps using pre-built actions (API calls, webhooks, data transforms, AI tasks, and more) combined into workflows. No code required.
Built-in case management system – Open cases direct from workflows. Track and manage security incidents all-in-one platform.
Tracecat is cloud-agnostic and deploys anywhere that supports Docker. It’s available for free on GitHub.
There are a variety of Python security tools are using in the cybersecurity industries and python is one of the widely used programming languages to develop penetration testing tools.
For anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out mastering in Python For Hacking From Scratch.
It has highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to an advanced level.
The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, Bluetooth smashers, web application vulnerability scanners, war dialers, etc. Here you can also find 1000s of hacking tools.
Best Python Security Tools for Pentesters
Python Course & Papers
Hacking with Python – Learn to Create your own Hacking Tools
Mastering in Python Programming For Hacking From Scratch
Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
WSBang: perform automated security testing of SOAP based web services
Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support
Misc
InlineEgg: A Python security tools toolbox of classes for writing small assembly programs in Python
Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
RevHosts: enumerate virtual hosts for a given IP address
Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.
Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.
Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.
Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.
In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.
Mastering Interview Techniques
Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.
A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.
Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.
For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.
CloudGrappler is an innovative open-source tool designed to detect the presence of notorious threat actors in cloud environments.
This tool is a beacon of hope for security teams struggling to keep pace with the sophisticated tactics of groups like LUCR-3, also known as Scattered Spider.
CloudGrappler leverages the power of CloudGrep, a tool developed by Cado Security, to offer high-fidelity, single-event detections of activities associated with well-known threat actors in popular cloud platforms such as AWS and Azure.
It acts as a cyber detective, sifting through the vast amounts of data in cloud environments to identify suspicious and malicious activities that often go unnoticed.
Key Features Of CloudGrappler
Threat Actor Querying: CloudGrappler excels in identifying activities demonstrated by some of the most notorious cloud threat actors. It utilizes a subset of activities from Permiso’s extensive library of detections to help organizations pinpoint threats targeting their cloud infrastructure.
Single-Event Detections: The tool provides a granular view of potential security incidents, enabling security teams to quickly and easily identify specific anomalies within their AWS and Azure environments.
Integration with CloudGrep: By incorporating a set of Tactics, Techniques, and Procedures (TTPs) observed in the modern threat landscape, CloudGrappler enhances its threat detection capabilities.
How CloudGrappler Works
CloudGrappler includes several components designed to streamline the threat detection process:
Scope Selector: Users can define the scope of their scanning through an integrated data_sources.json file, choosing to scan specific resources or a broader range of cloud infrastructure services.
Query Selector: The tool comes with a queries.json file containing predefined TTPs commonly used by threat actors. Users can modify these queries or add custom ones to tailor the scanning process.
Report Generator: After scanning, CloudGrappler produces a comprehensive report in JSON format, offering detailed insights into the scan results and enabling security teams to address potential threats swiftly.
It is based on a subset of activity from Permiso’s library of hundreds of detections, and it helps organizations detect threats targeting their cloud infrastructure.
Practical Applications
CloudGrappler is not just about detecting suspicious activities. it also provides valuable threat intelligence to help security professionals understand the risks in their environment and develop targeted response strategies.
The tool’s output includes information on the threat actor involved, the severity of the detected activity, and a description of the potential implications.
For those interested in enhancing their cloud security posture, CloudGrappler is available on GitHub.
The repository includes detailed instructions on setting up and using the tool, making it accessible to security teams of all sizes.
As cloud environments become increasingly complex and threat actors’ activities more sophisticated, tools like CloudGrappler are essential for maintaining a robust security posture.
CloudGrappler represents a significant step forward in the fight against cybercrime by offering an open-source solution for detecting and analyzing threats in cloud environments.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
🔹Nipe – Script to redirect all traffic from the machine to the Tor network. 🔗https://lnkd.in/grhEtqdr
🔹OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators. 🔗https://onionscan.org/
🔹Tails – Live operating system aiming to preserve your privacy and anonymity. 🔗https://tails.boum.org/
🔹Tor – Free software and onion routed overlay network that helps you defend against traffic analysis. 🔗https://lnkd.in/g8Uc8nB2
🔹dos-over-tor – Proof of concept denial of service over Tor stress test tool. 🔗https://lnkd.in/gAEQPvbd
Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and it’s a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack.
Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, here’s a list of great free solutions to get you started.
Autopsy is a digital forensics platform widely employed by law enforcement agencies, military personnel, and corporate investigators to examine and understand activities on a computer. Although Autopsy is designed to be cross-platform, the latest version is fully functional and tested only on Windows.
bulk_extractor is a high-speed tool for digital forensics analysis. It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. This is achieved without the need to parse file systems or their structures. The extracted data is saved in text files, which can be examined, searched, or utilized as inputs for further forensic investigations.
NetworkMiner, an open-source network forensics tool, specializes in extracting artifacts like files, images, emails, and passwords from network traffic captured in PCAP files. Additionally, it can capture live network traffic by sniffing a network interface.
Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. At the press of a (few) buttons, perform targeted collection of digital forensic evidence simultaneously across your endpoints, with speed and precision.
WinHex is a versatile hexadecimal editor, proving especially useful in the areas of computer forensics, data recovery, low-level data processing, and IT security. It allows users to inspect and modify various file types, as well as recover deleted files or retrieve lost data from hard drives with damaged file systems or digital camera cards.
Discover the power of H4X-Tools, a versatile toolkit designed for scraping, OSINT (Open-Source Intelligence), and beyond.
From extracting information from social media accounts to conducting phone and IP lookups, H4X-Tools offers a wide array of functionalities to aid researchers, developers, and security enthusiasts alike.
Explore its features, installation process, and community-driven development in this article. Toolkit for scraping, OSINT and more.
Submit feature requests and bugs in the issues tab.
If you want to help with the development, follow the instructions in contributing and simply open a pull request. You can also donate to keep the project alive and me motivated!
Current Tools
Warning
Some tools might not work on Windows systems.
Tool Name
Description
Ig Scrape
Scrapes information from IG accounts.
Web Search
Searches the internet for the given query.
Phone Lookup
Looks up a phone number and returns information about it.
Ip Lookup
Looks up an IP/domain address and returns information about it.
Port Scanner
Scans for open ports in a given IP/domain address.
Username Search
Tries to find a given username from many different websites.
Email Search
Efficiently finds registered accounts from a given email. Thanks to holehe.
Webhook Spammer
Spams messages to a discord webhook.
WhoIs Lookup
Looks up a domain and returns information about it.
Scans for all local accounts and their information.
Caesar Cipher
Encrypts/decrypts/bruteforce a message using the Caesar cipher.
BaseXX
Encodes/decodes a message using Base64/32/16.
About
Tells you about the tool.
Donate
My crypto addresses where to donate.
Exit
Exits the tool.
Note
-IG Scrape requires you to log in, in order to use it.
-SMS Bomber only works with US numbers.
-You might get rate limited after using some of the tools for too long.
Installation
I’ll upload already built executables to the releases tab, but I’d recommend installing the tool manually by following the instructions below. This way you also get the freshest version.
As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.
Cybercriminals exploit as-a-Service tools
As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.
The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:
Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victim’s computer or network.
Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.
Phishing threats escalate in business communications
Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.
As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.
But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.
In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.
Multi-function malware on the rise
Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.
For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.
“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,” comments Hanah Darley, Director of Threat Research, Darktrace. “Security teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterday’s threats.”
Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.
Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.
Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.
Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.
Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.
1. Aircrack-ng
Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.
2. Burp Suite
Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.
3. Defendify
Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.
Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.
4. Gophish
Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.
5. Have I Been Pwned
Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.
6. Kali Linux
Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.
7. Metasploit Framework
Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.
8. Nmap
Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.
While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.
9. Nikto
Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.
10. Open Vulnerability Assessment Scanner
OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.
Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
11. OSSEC
OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.
OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.
12. Password managers
Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePass, Bitwarden and Psono.
13. PfSense
The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.
14. P0f
Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.
P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.
15. REMnux
Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.
Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics.
16. Security Onion
Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.
The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.
17. Snort
Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.
Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.
18. Sqlmap
Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.
19. Wireshark
Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.
20. Zed Attack Proxy (ZAP)
ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.
ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.
Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.
One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.
Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.
However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.
Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.
OSINVGPT is an AI-based system that helps security analysts with open-source investigations and tool selection. While this tool was developed by “Very Simple Research.”
This tool can assist security analysts in gathering relevant information, sources, and tools for their investigations. It even helps researchers produce reports and summaries of their results.
OSINVGPT is available on ChatGPT and is useful for security researchers as it saves both time and effort.
Key Aspects
Here below, we have mentioned all the key aspects that OSINVGPT can do:-
Data Analysis
Interpretation
Guidance on Methodology
Case Studies
Examples
Document Analysis
Fact-Checking
Verification
Recommendations Based on External Sources
Ethical Considerations
OSINVGPT’s data analysis and interpretation involve examining information from diverse open sources to form readable narratives and address specific queries. At the same time, guidance is offered on conducting transparent and accurate open-source investigations.
Detailed insights and suggestions are provided using real-world examples within the knowledge base. Appropriate data is analyzed and extracted from the uploaded documents for open-source investigations.
To ensure investigation accuracy, assistance is given in fact-checking using open-source data. Recommendations based on external sources are provided for queries beyond the direct knowledge base, with a focus on ethical considerations in open-source investigations for responsible conduct.
Moreover, if you want, you can access the OSINVGPT tool from here for open-source investigation.
Open-source tools represent a dynamic force in the technological landscape, embodying innovation, collaboration, and accessibility. These tools, developed with transparency and community-driven principles, allow users to scrutinize, modify, and adapt solutions according to their unique needs.
In cybersecurity, open-source tools are invaluable assets, empowering organizations to fortify their defenses against evolving threats.
In this article, you will find a list of open-source cybersecurity tools that you should definitely check out.
Nemesis: Open-source offensive data enrichment and analytic pipeline
Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements).
SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications.
Mosint: Open-source automated email OSINT tool
Mosint is an automated email OSINT tool written in Go designed to facilitate quick and efficient investigations of target emails. It integrates multiple services, providing security researchers with rapid access to a broad range of information.
Vigil: Open-source LLM security scanner
Vigil is an open-source security scanner that detects prompt injections, jailbreaks, and other potential threats to Large Language Models (LLMs).
AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.
PolarDNS: Open-source DNS server tailored for security evaluations
PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes.
Targeted at the DevSecOps practitioner or platform engineer, Kubescape, the open-source Kubernetes security platform has reached version 3.0.
Logging Made Easy: Free log management solution from CISA
CISA launched a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.
GOAD: Vulnerable Active Directory environment for practicing attack techniques
Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.
Wazuh: Free and open-source XDR and SIEM
Wazuh is an open-source platform designed for threat detection, prevention, and response. It can safeguard workloads in on-premises, virtual, container, and cloud settings.
Yeti serves as a unified platform to consolidate observables, indicators of compromise, TTPs, and threat-related knowledge. It enhances observables automatically, such as domain resolution and IP geolocation, saving you the effort.
BinDiff: Open-source comparison tool for binary files
BinDiff is a binary file comparison tool to find differences and similarities in disassembled code quickly.
LLM Guard: Open-source toolkit for securing Large Language Models
LLM Guard is a toolkit designed to fortify the security of Large Language Models (LLMs). It is designed for easy integration and deployment in production environments.
Velociraptor: Open-source digital forensics and incident response
Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities.
In the realm of cybersecurity, where a constant influx of new “essential” products occurs, it’s tempting to be influenced into investing in unnecessary tools that not only expand your vulnerability but also provide minimal, if any, value. Let’s delve into the intricacies of security expenditure and the advantages of optimization, especially in times of economic uncertainty as we plan for the 2024 budget.
The culture of panic buying is real
This is an industry that uses fear, uncertainty, and doubt (FUD) as a selling tactic, making security leaders feel like every product is make-or-break for the wellbeing of their organization. The promise of a fix-it-all solution (the mythical silver bullet) is particularly tempting in this environment, especially for smaller organizations that most likely don’t have the budgets to implement a multitude of security tools or hire cyber specialists in-house. Vendors play on that desperation to make profits, and a lot of them are very good at it.
The fear mongering may also lead to impulsive decisions to invest in products that won’t configure correctly with the buyer’s current technology stack, thus introducing even more risk. The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of an organization’s security team.
The consequences can cost millions
According to IBM’s 2023 Cost of a Data Breach Report, organizations are now paying $4.5 million to deal with breaches – a 15% increase over the last three years. Aside from spending cash to purchase the product, panic buying can result in a wider attack surface, costly auto-renews and misconfigurations.
There is no doubt that taking advantage of new technological solutions (with AI and machine learning being fan favorites right now), can be extremely beneficial from both a technological and reputational perspective. But without looking at the big picture and calculating the actual value of the product in question, it’s nearly impossible to make a well-informed investment decision.
To assess the value of a product, security leaders should examine whether it adds or minimizes organizational risk and whether their current cybersecurity personnel and tools will be able to interact with it effectively.
Calculating the value of a product doesn’t have to be a guessing game. Risk = likelihood x impact is a great equation to use to solve for the value of a product or service.
To calculate likelihood of an attack, examine the degree of difficulty to execute an attack and the exposure of your assets. Determine your organization’s acceptable risk and use that equation to work backwards to identify the monetary impact of an attack. If that impact is significantly higher than the price of the product or service, it may be worth looking elsewhere.
It’s easy to fall into the trap of impulse buying cybersecurity products that don’t improve security but instead leave you vulnerable to costly attacks. Organizations should aim to protect their most valuable assets and prioritize addressing threats to those critical puzzle pieces of their business.
The solution is possible, and relatively simple
Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward.
Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action.
‘Tis the season to prioritize your security investments
It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents.
By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.
When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases, which tend to be costly line items.
In today’s economic climate, proving ROI for security spend is a big part of security leaders’ jobs. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.
COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS
ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.
STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI
ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.
EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION
Disposable Malware: Utilized to enhance stealth and evasion capabilities.
Data Exfiltration: Malware designed to access and extract sensitive information.
Lateral Movement: Techniques employed to expand reach and access within compromised environments.
TOOLSET SUMMARY
Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.
DETAILED INSIGHTS INTO THE TOOLSET
1. LOADERS
Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).
2. NINJA TROJAN
The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:
Managing running processes
File system management
Managing multiple reverse shell sessions
Injecting code into arbitrary processes
Loading additional modules during runtime
Proxy functionality to forward TCP packets between the C2 and a remote host
3. LOFISE
LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.
4. DROPBOX UPLOADER
This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.
5. PCEXTER
Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.
POTENTIAL IMPACT AND THREAT LANDSCAPE
The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.
MITIGATION AND DEFENSE STRATEGIES
Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
Regular Patching: Keeping all systems regularly patched and updated.
Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.
ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.