Nov 28 2024

5 cybersecurity open-source tools 

Category: Open Sourcedisc7 @ 7:53 am

1. MISP (Malware Information Sharing Platform & Threat Sharing)

  • Purpose: Designed to facilitate sharing threat intelligence between organizations, MISP is invaluable for building a collaborative defense strategy against cyber threats.
  • Key Features:
    • Collects, stores, and shares indicators of compromise (IOCs) efficiently.
    • Supports STIX/TAXII for standardized threat intelligence sharing.
    • Offers real-time alerts, advanced tagging, and classification of incidents.
  • Use Case: Organizations use MISP to streamline incident response and threat intelligence management, making it a cornerstone of cybersecurity strategies.
  • Learn More: MISP Project

2. OSForensics

  • Purpose: A digital forensics tool enabling investigators to uncover critical evidence from digital devices.
  • Key Features:
    • Recovers deleted files, emails, and passwords from devices.
    • Tracks USB interactions and recently accessed websites.
    • Supports memory forensics with tools like Volatility Workbench.
    • Generates detailed forensic reports.
  • Use Case: Widely used in legal investigations, incident response, and by forensic professionals to analyze compromised systems.
  • Learn More: OSForensics

3. ELK Stack (Elasticsearch, Logstash, Kibana)

  • Purpose: A highly adaptable SIEM solution for monitoring, detecting, and analyzing security threats.
  • Key Features:
    • Elasticsearch indexes and searches log data.
    • Logstash processes and enriches the log data from multiple sources.
    • Kibana visualizes security metrics and logs with interactive dashboards.
    • Provides seamless scaling for growing datasets and integration with third-party tools.
  • Use Case: Ideal for enterprises needing real-time log analysis and monitoring to proactively address threats.
  • Learn More: Elastic.co

4. AlienVault OSSIM

  • Purpose: Combines open-source tools into a cohesive SIEM platform for comprehensive security monitoring.
  • Key Features:
    • Asset discovery and vulnerability assessment.
    • Intrusion detection (IDS/HIDS) and behavioral anomaly detection.
    • Incident response with robust reporting tools.
  • Use Case: Suitable for small to medium businesses looking for affordable yet powerful threat detection capabilities.
  • Learn More: AlienVault OSSIM

5. FreeIPA

  • Purpose: An IAM tool tailored for centralized authentication, authorization, and account management in Linux/UNIX environments.
  • Key Features:
    • Built-in SSO via Kerberos.
    • Integration with DNS and certificate management.
    • Offers both CLI and GUI options for flexibility.
  • Use Case: Enterprises needing streamlined IAM solutions for securing access across Linux-based systems.
  • Learn More: FreeIPA

Here are some implementation tips for the highlighted tools:


1. MISP

  • Initial Setup:
    • Deploy MISP on a Linux server (CentOS, Ubuntu, or Debian). Prebuilt virtual machines are also available.
    • Use Docker containers for easier installation and maintenance.
    • Configure database settings and enable HTTPS for secure communication.
  • Best Practices:
    • Regularly update the taxonomy and tags for organizing IOCs.
    • Leverage the API to integrate MISP with SIEMs or ticketing systems.
    • Use its sharing groups feature to limit access to sensitive threat intelligence.
  • Resources:

2. OSForensics

  • Deployment:
    • Install on a forensic workstation or USB stick for portable use.
    • Combine with additional forensic tools like FTK or EnCase for broader capabilities.
  • Tips:
    • Use OSFClone to create disk images for analysis without modifying evidence.
    • Regularly train staff on the Volatility Workbench module for memory forensics.
    • Automate reporting templates for quicker investigations.
  • Resources:

3. ELK Stack

  • Installation:
    • Set up Elasticsearch, Logstash, and Kibana on Linux. Docker and Helm charts for Kubernetes simplify deployment.
    • Use Filebeat to collect logs from endpoints and forward them to Logstash.
  • Optimization:
    • Configure indices carefully to handle high-volume logs.
    • Implement role-based access control (RBAC) for Kibana to secure dashboards.
    • Enable alerts and anomaly detection using Kibana’s machine learning features.
  • Resources:

4. AlienVault OSSIM

  • Setup:
    • Install on-premises or use its hosted version. The installation ISO is available on its website.
    • Configure plugins for data collection from firewalls, IDS/IPS, and endpoint devices.
  • Usage Tips:
    • Regularly update correlation rules for detecting modern threats.
    • Use its vulnerability scanner to complement other risk assessment tools.
    • Train analysts to leverage its HIDS/IDS for actionable insights.
  • Resources:

5. FreeIPA

  • Installation:
    • Deploy FreeIPA on a Linux-based system. Red Hat-based distributions offer built-in packages.
    • Integrate with Active Directory for hybrid environments.
  • Best Practices:
    • Configure Kerberos for single sign-on and enable password policies.
    • Regularly monitor and audit access logs using built-in features.
    • Secure FreeIPA with SELinux and periodic updates.
  • Resources:

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Checkout previous posts on Open Source here

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: open source tools


Aug 11 2022

New Open Source Tools Launched for Adversary Simulation

Category: Security ToolsDISC @ 8:37 am

The new open source tools are designed to help defense, identity and access management, and security operations center teams discover vulnerable network shares.

globalnetwork_sasunBughdaryan-AdobeStock.jpg

Network shares in Active Directory environments configured with excessive permissions pose serious risks to the enterprise in the form of data exposure, privilege escalation, and ransomware attacks. Two new open source adversary simulation tools PowerHuntShares and PowerHunt help enterprise defenders discover vulnerable network shares and manage the attack surface.

The tools will help defense, identity and access management (IAM), and security operations center (SOC) teams streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments, NetSPI’s senior director Scott Sutherland wrote on the company blog. Sutherland developed these tools.

PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. The PowerHuntShares tool addresses the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.

“PowerHuntShares will inventory SMB share ACLs configured with ‘excessive privileges’ and highlight ‘high risk’ ACLs [access control lists],” Sutherland wrote.

PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. The tool automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis. 

Network shares configured with excessive permissions can be exploited in several ways. For example, ransomware can use excessive read permissions on shares to access sensitive data. Since passwords are commonly stored in cleartext, excessive read permissions can lead to remote attacks against databases and other servers if these passwords are uncovered. Excessive write access allows attackers to add, remove, modify, and encrypt files, such as writing a web shell or tampering with executable files to include a persistent backdoor. 

“We can leverage Active Directory to help create an inventory of systems and shares,” Sutherland wrote. “Shares configured with excessive permissions can lead to remote code execution (RCE) in a variety of ways, remediation efforts can be expedited through simple data grouping techniques, and malicious share scanning can be detected with a few common event IDs and a little correlation (always easier said than done).”

Source: New Open Source Tools Launched for Adversary Simulation

The Tao of Open Source Intelligence

Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques

Tags: Adversary Simulation, Hunting Cyber Criminals:, Open source intelligence, open source tools


Oct 01 2021

New APT ChamelGang Targets Russian Energy, Aviation Orgs

Category: APT,Information SecurityDISC @ 9:23 am

First appearing in March, the group has been leveraging ProxyShell against targets in 10 countries and employs a variety of malware to steal data from compromised networks.

A new APT group has emerged that’s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.

Researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a report by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.

To avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.

more detail analysis on: New APT ChamelGang Targets Russian Energy, Aviation Orgs

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: APT ChamelGang, ATT&CK™ Framework, open source tools, Threat Hunting