There are more free information security tools than you can highlight with a fist full of whiteboard pointers. While many are trialware-based enticements designed to lure decision makers to purchase the pricey premium counterparts of these freebies, many are full-blown utilities. A few important categories include threat intelligence tools, tools to build security in during the development stage, penetration testers, and forensics tools.
Threat intelligence tools include AlienVault’s Open Threat Exchange, which collects and shares online threat intelligence as well as the Hailataxii and Cymon.io threat exchanges. There are a variety of SAST (Static Application Security Testing) tools for security testing software applications that developers write using different languages whether C/C++, Ruby on Rails, or Python. For penetration testing, we present the Nmap Security Scanner and the broadly useful Wireshark network protocol analyzer. Specific forensics products include the GRR remote forensic framework, and Autopsy and SleuthKit, which analyze hard drives and smartphones, and the Volatility Foundation’s open source framework for memory analysis/forensics.
[ REVIEW: Review: Threat hunting turns the tables on attackers ]
Threat intelligence tools
Threat intelligence includes the kind of information that security vendors might use to create signatures for specific threats for their detection tools. AlienVault offers the Open Threat Exchange service/community, which collects and shares online threat intelligence among "more than 47,000 participants in 140 countries who contribute more than 4 million threat indicators daily." This sharing helps enterprises and security vendors at all levels to stay current on new threats as they appear.
“The AlienVault OTX does a great job at sharing IoCs (Indicators of Compromise),” says Ben Cotton, CISSP, CEO at CyTech Services, which assisted the OPM in its now infamous information security breach response. Security products receiving the OTX pulse can add detection for the new IoCs.
There are of course other notable intelligence repositories. “Hailataxii.com, another threat exchange is an open source repository for STIX data,” says Cotton. STIX (Structured Threat Information eXpression) is an XML language for exchanging cyber security threats and TAXII is the mechanism that shares the STIX data.
Cymon.io, another open source threat intelligence aggregator, provided by eSentire, works as a reputation database housing web domains and IP addresses that its open community members have found to be sources of malicious activity and infection, according to data from the companies’ websites.
According to the Cymon and eSentire company websites, Cymon ingests 180-plus sources daily including publicly available industry, government, and commercial threat intelligence feeds, VirusTotal, Phishtank, blacklists, antivirus vendor source reports, and eSentire’s proprietary intelligence lists. Using information from these lists, Cymon tracks malware, phishing, botnets, and spam, adding over 20,000 unique IPs to its database each day; to date, Cymon has logged more than 6 million IP addresses and more than 33.7 million security events, according to the company website data.
“Cymon.io is good at what it does. I would put them in the same category as AlienVault OTX and Hailataxii,” says Cotton.
Development tools to build security in during the development stage
There is a variety of open source SAST tools available so that coders can test the software applications that they write while they are still developing them. “The most popular tools in the Java world are FindBugs and PMD,” says Meera Subbarao, senior principal consultant at Cigital.
“The majority of these tools have plugins for the developer’s IDE, which makes it easy for them to build applications more securely,” says Subbarao. There are also tools for Python, Ruby on Rails, C/C++, JavaScript, .NET, and more.
Penetration / PEN testers
Penetration testing tools find the security holes for you, hopefully before the hackers do. Security gurus often use the open-source Nmap Security Scanner that Gordon Lyon developed and maintains as a penetration testing tool to scan ports and locate network vulnerabilities. “The granddaddy of all free open source scanner tools, Nmap is still highly effective for network vulnerability analysis,” says Cotton. While Nmap scales well for scanning large networks, it doesn’t include any facility for incident response.
[ ALSO: 8 penetration testing tools that will do the job ]
The broadly useful Wireshark network protocol analyzer that Gerald Combs initially developed is another popular free penetration tester, largely supported by Riverbed. “Wireshark is probably the best network packet sniffing analyzer out there,” says Cotton. Wireshark does not scale well for capture files greater than 100MB in size.
Forensic tools
Forensics tools enable the enterprise to investigate security incidents whether past or in progress. Google’s free open-source GRR remote forensic framework enables live incident response via interactions between GRR’s python servers and its python agents. You can use GRR agents with Windows, Linux, and OS X systems to run forensics on system memory contents. While this is a good tool, there is a question of scalability when it comes to applying GRR across the enterprise. “I would feel comfortable handling 10 machines using the free GRR,” says Cotton.
A pair of tools often used together, the Autopsy and SleuthKit forensics products from various developers including Brian Carrier and @stake analyze computer hard drives and smartphones as well as drive images. The developers offer versions for Windows, Linux, and Mac. “While these are sound and capable forensic tools for one or two computers, Autopsy and SleuthKit don’t have the scalability to go out across the network and be effective,” says Cotton.
Another memory analysis tool, Volatility Foundation’s open source framework is a good tool for analysis/forensics that is rooted in dissecting “the runtime state of a system using the data found in volatile storage (RAM).”
“Volatility allows you to capture memory from most flavors of Windows and dump information on processes, open ports, and network connections. There is also some logic built into Volatility to assist with identifying malware running in memory,” says Greg Kelley, EnCE, DFCP, Vestige Digital Investigations.
“I highly recommend the Volatility Foundation’s open source framework for memory analysis. The flaw is that you have to first create the memory image before you can do the analysis, so you have to be able to do a mem (memory) dump or something like that and get an image of the active RAM and then run it through Volatility and analyze it. Volatility sets the standard for what I call offline memory forensics,” explains Cotton.
How a smidgen of free security software goes a long way
These examples are hardly a sampling of what must be thousands of free tools once you include all open source projects and trialware that are available from around the globe. Some due diligence and digging will do your enterprise good, to find a tool or two to fill a vacancy at a savings or to compare features and question whether you should be expecting more from premium tool vendors.
This story, "Free cybersecurity tools for all your needs" was originally published by CSO.