Updated September 7, 2021, to add Chainsaw.
The open source community is hugely active in the security space, with no shortage of well-maintained, enterprise-ready cybersecurity tools that can be put to good use for zero cost. (As BloodHound’s Andy Robbins notes below, too often Blue Teams only become aware of such tools when they are having to defend against them, but could also usefully deploy them.) We’ve curated a selection of 7 free cybersecurity tools below that we think would be useful for CISOs wanting to holistically improve security on a tight budget.
Obvious disclaimer: while we believe these are all maintained by credible teams, use at your own risk.
7 free cybersecurity tools for 2021
Infection Monkey is an open source Breach and Attack Simulation tool that lets you test the resilience of private and public cloud environments to post-breach attacks and lateral movement, using a range of RCE exploiters.
Infection Monkey was created by Israeli cybersecurity firm Guardicore to test its own segmentation offering. Developer Mike Salvatore told told The Stack: “Infection Monkey was inspired by Netflix’s Chaos Monkey.
“Chaos Monkey randomly disables production instances to incentivise engineers to design services with reliability and resilience in mind. We felt that the same principles that guided Netflix to create a tool to improve fault tolerance could be applied to network security. Infection Monkey can be run continuously so that security-related shortcomings in a network’s architecture can be quickly identified and remediated.”
The company recently added a Zero Trust assessment, as well as reports based on the MITRE ATT&CK framework.
The free tool is “self-propagating” and attempts to expose weaknesses in networks. As he explains: “Once Infection Monkey breaches a system, it initiates a new instance of itself and tries to breach other systems.
“As it moves through a network, it reports back to a command and control server to give administrators insight into what kind of lateral movement is possible on their network. Administrators are presented with a graph that shows the target network from an attacker’s point of view, as well as a report with actionable insights and recommendations about how to thwart lateral movement through the network.”
It was also designed to be safe for production environments, with a set of exploits that don’t cause systems to crash or behave in unpredictable ways. (You can see a list of the exploits here).
The few exploits that are not safe for production environments are clearly marked.
Among its many uses, you could run Infection Monkey on the workstation of a staffer who tends to always fall victim to phishing campaigns and see how it behaves with their credentials. As Salvatore notes: “You might find that their workstation has access to databases or other resources that they don’t need to do their job. Armed with this information, you can apply network segmentation policies or other security controls that can help mitigate the risk they pose to your network between now and when you can get them properly trained.”
policy-bot is a GitHub Application open sourced by Palantir under an Apache 2.0 licence and designed to enable complex change approval workflows. As Palantir CISO Dane Stuckey notes on Twitter: “If you’re staring at your CI/CD pipeline and wondering how to better secure it, I highly recommend
While GitHub natively supports required reviews,
policy-bot “provides more complex approval features”, its team notes in the GitHub repo, along with a UI to view the detailed approval status of any pull request.
- Require reviews from specific users, organizations, or teams
- Apply rules based on the files, authors, or branches involved in a pull request
- Combine multiple approval rules with
- Automatically approve pull requests that meet specific conditions
You can best understand the importance of this tool by contextualising it against a rising trend towards Infrastructure as Code (IaC); a way of managing IT infrastructure using machine-readable configuration files which are often versioned and store in GitHub to enable full traceability of configuration changes.
Stuckey spelled out some of the threats arising from the increasingly common deployment of IaC — which removes the explicit trust boundaries across different tiers of infrastructure that most organisations are familiar with– in comprehensive paper for the “SANS Institute Information Security Reading Room”.
As he noted in that paper: “In many organizations, management of virtual desktop infrastructure, business-critical systems, and domain controllers may happen using the same user account, GitHub Enterprise code repository, and Terraform instance … an attacker, if they can compromise a DevOps member’s GitHub Enterprise account, can attack infrastructure across all three tiers without traditional exploitation or escalation techniques.”
This means organisations need to keep a closer eye than ever on changes to code bases in GitHub.
You can get
policy-bot for free and more documentation here.
BloodHound is a tool for mapping both explicit and complex hidden relationships in an Active Directory environment (initially on-premises only, but now in Azure too), to let IT teams identify and eliminate potential attack paths. It was first revealed at DEFCON 24 in 2016 and has been regularly updated since by its primary authors, Andy Robbins, Rohan Vazarkar, Will Schroeder of security firm SpecterOps.
The tool has been forked over 1,000 times and has over 5,000 stars on GitHub. BloodHound is downloaded from GitHub approximately 100 times a day, Robbins told The Stack. A dedicated Slack community for the tool has a helpful community of over 7,700 users.
We spoke to Andy Robbins about the tool’s genesis. He said: “We come from a red team background and found ourselves in the same situation over and over again: we’d establish initial access, then use the same methodology to achieve Domain Admin access. That methodology goes by several names – credential shuffle, derivative local admin, and identity snowball attack. Different names, same technique: steal credentials, scan the whole network to see where you now have admin rights, guess which machine you should pivot to next, steal credentials, scan the whole network again, etc., repeat until you get Domain Admin.
“That methodology was effective but tedious and ‘loud’. One day I sat down to lunch with a friend and explained this problem to him – we could gather all the info we needed to automate this process, but we didn’t know how to automate the analysis portion. He introduced me to graph theory, and I spent the next month designing a graph design that would allow us to build our initial POC that relied on data collected from another tool, PowerView. That initial POC was called “PowerPath” – https://github.com/andyrobbins/PowerPath. With that initial POC, we knew we had a great idea on our hands. At that point, Rohan Vazarkar joined the effort and built a proper GUI for the tool and re-wrote the data collection piece into a tool called SharpHound. A few months of building and testing later, we were on stage at DEF CON talking about and releasing the tool.
Many tools like this are built and widely used by red teams, but their utility in strengthening enterprise defence is huge. As Robbins notes: “A lot of people on the blue team side learn about the tool when it is being used against them either by a professional or by a real adversary. But the reality is that BloodHound can provide much more value to the blue team than it ever can to the red team, as it shows the blue team what attack paths exist in their environments so they can clean them up before the adversary can discover and exploit those attack paths.
Post-Solarwinds, awareness has grown around how hard it is to audit AD permissions. (From CISA to CrowdStrike, organisations have been dropping free tools to help Windows admins and others ensure they have good visibility into their AD environments.) As Robbins notes, these and BloodHound are vital: “The built-in tools in Azure and on-prem, ‘vanilla’ Active Directory make reviewing permissions a frustrating, confusing, opaque process. Reviewing permissions against any given object is a pain, reviewing permissions across an entire enterprise is a non-starter for most organizations.
“There are simple questions that the built-in tooling simply cannot answer such as, ‘Including through group delegation, who has admin rights on this computer?’, or ‘Which objects in AD does this user have control of?’ — these questions are very easy to answer with BloodHound just by clicking on built-in queries, but virtually impossible to answer with built-in tooling. What’s worse, built-in tooling cannot tell you what attack paths exist in the environment, and cannot tell you the impact of any given privilege or user action”, says Andy Robbins.
“BloodHound ‘knows’ all the attack path possibilities in AD, so it ‘knows’ that because, for example, a Domain Admin logged onto a particular system, that that has opened up several million attack paths allowing any authenticated user to compromise the entire environment.
With a slick UI, you can also integrate it with threat intel from a wide range of other sources: e.g. FireEye, Kaspersky, MITRE ATT&CK, etc.
Hassine told The Stack: “OpenCTI contains detection and remediation guidelines for different classifications of threats. Organisations can select the threat data that is most relevant to their industry and their security posture and configure it with different confidence levels. When investigating an alert or threat indicator, analysts can refer to OpenCTI to see the signature of a threat and review context about it — such as its attribution to threat actors and tactics used by targets in response.
“What makes this platform different is that its own data hub is growing as the product matures. OpenCTI constantly maintains its data source connectors and follows a once-a-month release cadence for the platform. This flexibility means that organisations can choose the data feeds that best fit their needs as they don’t have to take everything available. They can take intelligence relevant to a market, vertical, or threat vector.”
He added: Security analysts depend on third-party threat intelligence to help detect and analyse threats. However, like other security data pipeline challenges, aggregating, correlating and analysing data from multiple sources can be a complicated process. This is a challenge that I have experienced myself while working for the French government and that’s why it has become a personal mission for me to provide a solution.”
nuclei is a fast and customisable vulnerability scanner based on simple YAML-based vulnerability templates. It has two components, nuclei engine – the core of the project allows scripting HTTP / DNS / Network / Headless / File protocols based checks in a very simple to read-and-write YAML-based format.
As Sandeep Singh, one of nuclei’s creators and the CTO at open source security company ProjectDiscovery tells The Stack: “Traditional scanners always lacked the features to allow easy-to-write custom checks on top of their engine, this is how we started developing nuclei with a core focus on simplicity, modularity, and the ability to scan on a large number of assets.
“We wanted something that was simple enough to be used by everyone while complex enough to integrate into the modern web with all its intricacies. The features implemented in nuclei are tailored to allow very rapid prototyping of complex security checks.”
nuclei is in active development, with fresh releases pushed nearly every other week. As Singh adds: “The community is playing a major role in driving this project by writing and contributing huge numbers of nuclei templates, which includes 600+ templates in total and 200+ checks for CVEs identification + actively participating in development reporting bugs, requesting features, etc are all implemented in the core.
nuclei is open sourced under an MIT licence. Documentation is at https://nuclei.projectdiscovery.io/. As Singh notes: “We recently set up a dedicated public discord server for our community for support/discus/feedbacks available at https://discord.gg/projectdiscovery and we’re pretty active on Twitter too @pdnuclei.
Conjur is a secrets management solution tailored for the infrastructure requirements of native cloud and DevOps environments. It can be used as a way of centrally managing secrets across tools, apps, containers, and clouds using policy-based role-based access control (RBAC), with full audit trails, as well as for spotting and removing hard-coded secrets from DevOps tools in CI/CD environments. The company that built it was bought by Israel’s CyberArk in 2017, but CyberArk continues to regularly update and maintain the open source version.
Conjur has native integrations with most DevOps tools (from Jenkins to Ansible, Puppet, to AWS or OpenShift)
Designed to run in a Docker container(s), using Postgres as the backing data store, Conjur automates machine identity provisioning, authorisation of privileged access, service account control, and machine-to-machine connectivity. You can use Conjur in the runtime environment to perform tasks such as assigning machine identity to VMs and containers, fetching and injecting secrets, and protecting web services.
Chainsaw, developed at F-Secure, is a tool to search event logs for breach detections. It is written in Rust and accessible via command line.
Searching and hunting features for Blue Teams in Chainsaw include the ability to search through event logs by event ID, keyword, and regex patterns; extraction and parse of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts; detect key event logs being cleared, or the event log service being stopped; users being created or added to sensitive user groups; brute-force of local user accounts; RDP logins, network logins etc., and Sigma rule detection against a wide variety of Windows event IDs.
As a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity, it should be in all Blue Teams’ arsenals.