×

Irish Information Security Forum

Tools to Quickly Detect a Potential Intrusion

 

 
ServiceSkill LevelOwnerDescriptionLink
Blumira's Free SIEM Basic Blumira Blumira's Free SIEM provides detection and response coverage for up to 3 cloud integrations, including: M365, Duo, SentinelOne, Umbrella, Webroot, Mimecast. Free for unlimited users, Blumira's Free SIEM also provides two weeks of log data retention.

Pricing | Blumira 
CodeSec Basic Contrast Security It can serve as a static analysis tool for Java and .Net. The offering can test and protect 3rd party open-source code moving through supply chain with continuous monitoring in production. The tool can also find code security, open-source security and permission issues.

Developer Central | Contrast Security
Cascade (MITRE ATT&CK) Basic MITRE Built on MITRE-ATT&CK Framework: The prototype CASCADE server has the ability to handle user authentication, run analytics, and perform investigations. The server runs analytics against data stored in Splunk/ElasticSearch to generate alerts. Alerts trigger a recursive investigative process where several ensuing queries gather related events.

GitHub - mitre/cascade-server: CASCADE Server
Atomic Red Team Basic Red Canary A library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.

GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.
Red Team Automation (RTA) Basic Endgame A framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, leveraged the MITRE ATT&CK framework.

GitHub - endgameinc/RTA
Suricata Advanced Open Information Security Foundation (OISF) Suricata is an open-source network analysis and threat detection software utilized to protect users assets. Suricata uses deep packet inspection to perform signature-based detection, full network protocol, and flow record logging, file identification and extraction, and full packet capture on network traffic.

Home - Suricata
WiFi Network Security Advanced Aircrack-ing This offering includes a suite of tools to assess WiFi network security including: monitoring, attacking, testing, and cracking. All tools are command line, which allows for heavy scripting. The service must be downloaded from browser.

www.aircrack-ng.org
Zed Attack Proxy (ZAP) Advanced OWASP This integrated penetration testing tool is used for finding vulnerabilities in web applications. It is designed for users with a wide range of security experience.

OWASP ZAP (zaproxy.org)
Network Mapper  Basic NMAP This offering is a utility for network discovery and security auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters/firewalls are in use.

Nmap: the Network Mapper - Free Security Scanner
Cyber Readiness Check (CRCs) Basic Project Spectrum A system that requires organizations to make an account to access the free service. This tool helps organizations determine current level of security.

Project Spectrum
Perception Point Basic Perception Point Perception Point’s Free Email Security Plan, protects organizations from any threat entering organization via email and other collaboration channels. The plug-n-play deployment does not require a change to existing infrastructure. Once implemented, users can see, within minutes, how Perception Point’s free advanced email security catches threats.

Free Email Security Plan - Perception Point (perception-point.io)
Semperis Purple Knight Basic Semperis Purple Knight queries an organization's Active Directory environment and performs a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security vulnerabilities. Users receive prioritized, corrective guidance including mapping of indicators of exposure to the MITRE ATT&CK framework to close gaps before they get exploited by attackers.

Purple Knight | Evaluate the security of your Active Directory. (purple-knight.com)
Microsoft Defender Antivirus Basic Microsoft This tool protects and detects endpoint threats, including file-based and fileless malware. Built into Windows 10 and 11 and in versions of Windows Server.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
Microsoft Safety Scanner Basic Microsoft Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
Windows Malicious Software Removal tool Basic Microsoft This tool is released by Microsoft on a monthly cadence as part of Windows Update or as a standalone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.

https://support.microsoft.com/en-us/topic/remove-specific-prevalent-malware-with-windows-malicious-software-removal-tool-kb890830-ba51b71f-39cd-cdec-73eb-61979b0661e0
MSTICpy Basic Microsoft MSTICPy is a SIEM-agnostic package of Python tools for security analysts to assist in investigations and threat hunting. It is primarily designed for use in Jupyter notebooks.

https://msticpy.readthedocs.io/en/latest/
Google Safe Browsing Basic Google This service identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.

https://safebrowsing.google.com
Coalition Control Scanning Basic Coalition Control Coalition Control is your account home and includes free attack surface scanning and ongoing monitoring of your organization from the outside in. When vulnerabilities are identified, the tool will show where they are and how to fix them. Upgraded scanning requires users to be a Coalition insturance policyholder.

Coalition Control (coalitioninc.com)
Security Onion Basic Open Source Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise. Security Onion includes Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, CyberChef, NetworkMiner, and many other security tools.

Security Onion Solutions
Syft Advanced Anchore The first is Syft, a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.  It also supports CycloneDX/SPDX and JSON format. Syft can be installed and run directly on the developer machine to generate SBOM's against software being developed locally or can be pointed at a filesystem.

https://github.com/anchore/syft 
Grype Advanced Anchore Grype which is an open source vulnerability scanner  for container images and filesystems that can be used to find zero day vulnerabilities such as log4j.

https://github.com/anchore/grype
Hedgehog Advanced Malcolm Hedgehog Linux is a Debian-based operating system built to monitor network interfaces, capture packets to PCAP files, detect file transfers in network traffic and extract and scan those files for threat, and generate and forward to Zeek logs.

https://github.com/idaholab/Malcolm
Malcolm Advanced CISA Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

https://github.com/cisagov/Malcolm
ICS Network Protocol Parsers Advanced CISA The industrial control systems network protocol parsers (ICSNPP) project, only compatible with Zeek, is an ongoing effort to provide open-source tools to enable asset owners, operators, and OT security teams to achieve greater operational network and process level visibility.

https://github.com/cisagov/ICSNPP
Lumu Free Advanced Lumu Technologies Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention. Malicious incidents can be labeled to ensure prioritization according to an organization's risk tolerance.

Lumu
Mandiant Red Team and Investigative Tools Advanced Mandiant These tools are designed to confirm and investigate suspected security compromises. https://github.com/Mandiant
Splunk Connect for Syslog Advanced Splunk This tool is used for getting syslog-based data into Splunk, including functions for data filtering and parsing.

https://splunkbase.splunk.com/app/4740/#/overview
Enterprise Log Search and Archive (ELSA)

Advanced Open source Enterprise Log Search and Archive (ELSA) is a three-tier log receiver, archiver, indexer, and web front end for incoming syslog.  https://github.com/mcholste/elsa
Mandiant Azure AD Investigator Advanced Mandiant This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are "high-fidelity" indicators of compromise; other artifacts are so-called "dual-use" artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality.

https://github.com/mandiant/Mandiant-Azure-AD-Investigator
VirusTotal Advanced Google VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of tools, to extract signals from the studied content. Users can select a file from a computer via the browser and send it to VirusTotal. Submissions may be scripted in any programming language using the HTTP-based public API.

https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works
Netfilter Advanced Open Source Netfilter is a packet filter implemented in the standard Linux kernel. The user space iptables tool is used for configuration. It supports packet filtering (stateless or stateful), many kinds of network address and port translation (NAT/NAPT), and multiple API layers for third-party extensions. It includes many different modules for handling unruly protocols, such as FTP.

https://www.netfilter.org/
Wireshark Advanced Open Source Wireshark is an open-source multi-platform network protocol analyzer that allows users to examine data from a live network or from a capture file on disk. The tool can interactively browse capture data, delving down into just the level of packet detail needed. Wireshark has multiple features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.

https://www.wireshark.org/
Ettercap Advanced Open Source Ettercap is a suite for adversary-in-the-middle attacks on LAN that includes sniffing of live connections, content filtering on the fly, and many other features. It supports active and passive dissection of many protocols (including ciphered protocols) and includes many features for network and host analysis.

http://ettercap.sourceforge.net/
Kismet Advanced Open Source Kismet is a console (ncurses)-based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing and can decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/tcpdump compatible format, and even plot detected networks and estimated ranges on downloaded maps.

https://www.kismetwireless.net/
Snort Advanced Cisco This network intrusion detection and prevention system conducts traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. The related free Basic Analysis and Security Engine (BASE) is a web interface for analyzing Snort alerts.

https://www.snort.org/
sqlmap Advanced Open Source sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and accessing the underlying file system and executing OS commands via out-of-band connections.

http://sqlmap.org/
RITA Advanced Open Source Real Intelligence Threat Analytics (R-I-T-A) is an open-source framework for detecting command and control communication through network traffic analysis. The RITA framework ingests Zeek logs or PCAPs converted to Zeek logs for analysis.

https://www.activecountermeasures.com/free-tools/rita/
Secureworks Dalton Advanced Secureworks Dalton is a system that allows a user to run network packet captures against a network sensor of their choice using defined rulesets and/or bespoke rules. Dalton covers Snort/Suricata/Zeek analysis in one system.

https://github.com/secureworks/dalton
Elastic SIEM Advanced Elastic Tool is an application that provides security teams with visibility, threat hunting, automated detection, and Security Operations Center (SOC) workflows. Elastic SIEM is included in the default distribution of the most successful logging platform, Elastic (ELK) Stack software. It ships with out-of-the-box detection rules aligned with the MITRE ATT&CK framework to surface threats often missed by other tools. Created, maintained, and kept up-to-date by the security experts at Elastic, these rules automatically detect and address the latest threat activity. Severity and risk scores associated with signals generated by the detection rules enable analysts to rapidly triage issues and turn their attention to the highest-risk work. Elastic SIEM: free and open for security analysts everywhere | Elastic Blog

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


FORUM SPONSORS

We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo

 

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter