Opensource tools for security operations
As we know there are many things included for building SOC. From the technology standpoint, it is very important to have open source for identifying the threats as well as cost reducing. From the DID (Defense in depth) standpoint there are many devices and technologies need to be used to build the SOC. As per the industry experience below is the technologies can be used for building proper SOC to monitor the threats to detect the anomaly to safeguard the company.
Mainly since most of the attacks comes from the external, it is very important to use proper controls at the perimeter of the network. By using the opensource products we can reduce the cost of the product and support is not mandatory.
IDS/IPS: Intrusion detection system is very important which is required to monitor the traffic for identifying or detecting the anomaly and attacks. Snort is one of the open sources network-based intrusion detection/prevention system which can perform real-time traffic analysis with packet logging on internet protocol networks. Snort has 5 important components which help to detect the attacks.
- Packet Decoder
- Detection Engine
- Logging and Alerting System
- Output Modules
By using above components, Snort can detect the network-based attacks or probes including operating system fingerprinting attempts, semantic URL attacks, buffer overflows, SMB (Server Message Blocks) and stealth port scan. And, it can also detect web application attacks such as SQL Injections,
Since Snort is just an engine it requires GUI for ease of use if you are not much familiar with the command line, so it is good to configure Snorby as well requires normal web server application such as Apache.
Snorby will be helpful analyzing the alerts which are triggered by snort. It helps to see alerts, alert matching criteria.
Tip: Make sure all signatures are updated for detecting and preventing emerging threats. These can be open-source or paid signatures (Depends on budget).
For more details please refer https://www.snort.org/
Vulnerability Scanner (OpenVAS): For being proactive security guy it is most important to have vulnerability scanner so that scan and confirm whether any assets are running with critical vulnerabilities which can lead to any security breach or attack. Vulnerability scanner is a product which has various updated scripts which are useful to identify the vulnerabilities in system or applications. Performing regular scans on the systems especially the external facing systems or systems which are connected to internet and patching those regularly.
Tip: For every update or deployment it is mandatory to make sure all the systems or applications patched for existing vulnerabilities.
There are various tools which are open-source with the limited licensing such as OpenVAS. Regular update of NVT are useful to detecting the emerging vulnerabilities.
OpenVAS engine can used with GUI Greenbone and Barnyard database for populating results in UI. It can scan all the system in the network and it is good to have authenticated scan using domain credentials. Greenbone provides options for creating credentials, hosts, tasks and schedules in user interface. For more details refer http://openvas.org/
For effectiveness, it is better to use emerging tools such as caldera intelligent tool which can be used to emulate the adversary behavior and this is developed by MITRE. For more details please refer https://www.mitre.org/research/technology-transfer/open-source-software/caldera.
Some of the other tools are:
Maltego (https://www.paterva.com/web7/buy/maltego-clients/maltego.php): Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.
Vega (https://subgraph.com/vega/): Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Nessus (https://www.tenable.com/products/nessus/nessus-professional): Nessus widely used effective vulnerability scanner with more features.
HoneyNet: Nowadays, attackers are getting smarter every day so it is good to have honeynet to see and analyze the attack patterns which are tried by the attackers to know and defending. It is a very important technology which is mandatory to trick the attacker and safeguarding the assets. You can use Honeynet as internal honeynet or external honeynet as per the requirement. Just mimic the used services to avoid the actual attacks. HoneyNet has mainly 4 components such as mentioned below.
- Nova user interface.
- Honeyd engine.
- For more details about the Honeynet please refer https://www.honeynet.org/
HIDS (OSSEC): OSSEC: Open Source HIDS SECurity is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats.
Network Monitoring tool: Nagios Core, is a free and open source computer-software application that monitors systems, networks, and infrastructure. Nagios offers to monitor and alerting services for servers, switches, applications, and services. For more details please refer https://www.nagios.com/products/nagios-core/attachment/visibility-2/
Red team activities: It is good to use Kali Linux or Backtrack operating systems which are having all tools which are required for vulnerability and penetration testing.
Kali (https://www.kali.org/downloads/): Kali Linux is a advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. It is the net version of Backtrack.
Commando VM (https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html). Commando VM is the new Penetration testing Opensource Virtual Machine build on Windows Operating system with full of penetration testing tools inbuilt and it was built by Fireeye.
Forensic: For being more in Forensic like malware analysis, and recovery, there are various Microsoft tools and other open source frameworks as mentioned below:
Cuckoo sandbox framework (https://cuckoosandbox.org): Cuckoo is a dynamic malware analysis framework which provide end to end analysis of malware with formatted report and it supports various plugin such as VirusTotal, IDS and Yara etc.
Remnux (https://h11dfs.com/the-best-open-source-digital-forensic-tools/): Remnux is opensource reverse engineering virtual machine built with various reverse engineering tools in built.
Ghidra (https://www.nsa.gov/resources/everyone/ghidra/): Ghidra is a software reverse engineering (SRE) framework developed by NSA’s Research Directorate for NSA’s cybersecurity mission. It helps analyze malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.
Threat intelligence sharing platforms: Threat intelligence sharing platform play an important role in detecting attacks and infections based on the indicators of compromises. It can be integrated into your log management and network monitoring tools to have proper prevention and detection in place.
MISP – Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing and abbiviated as Malware Information Sharing Plaform which built using various tools technologies such as MyuSQL, PostgreSQL, Shell script and Python etc.
There are some of the opensource tools which can be used based on the requirement and SOC capabilities. These are shortlisted based on ease of use and industry experiences. To run the SOC smooth and cost effective these tools play important roles.