Cyber Security Tools

Caldera

Caldera is an open-source platform that is designed to simulate various cyber attack techniques and tactics in a controlled environment. It allows for the testing and evaluation of detection, analysis and response platforms, and provides valuable information to help improve cyber security defences.

Caldera was developed and is maintained by the MITRE corporation and is built upon the MITRE ATT&CK framework.

Useful Links

• Caldera dcoumentation.
• MITRE Corporation.
• MITRE ATT&CK.

OpenSSL

OpenSSL is a cryptographic library that contains an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. It is available on numerous platforms including Microsoft Windows, Linux and macOS. It provides functions to generate private keys, along with their associated public keys, manage certificates, and equip client application with encryption and decryption capabilities, allowing for secure communications over computer networks, such as the Internet.

It is possible to check the version of OpenSSL installed on a system at a command prompt as follows.

openssl version –a

The below example uses the RSA asymmetric encryption algorithm to generate a private key, which is placed in a file called 'private.key'.

openssl genpkey -algorithm rsa -out private.key

The public key, corresponding to the private key just created, can then be derived.

openssl rsa -pubout -in private.key -out public.key

Someone else's public key can be used to encrypt a message to them. Here, their public key is contained in 'another-public.key', with the message to be encrypted contained in 'message.txt'. The encrypted message is output to the file 'message.enc'.

openssl pkeyutl -encrypt -inkey another-public.key -pubin -in message.txt -out message.enc

If a message is encrypted with your public key, it can be decrypted with your corresponding private key.

openssl pkeyutil -decrypt -inkey private.key -in message.enc -out message.txt

Here, the private key to decrypt the message is contained in 'private.key', with the encrypted message in 'message.enc'. The file 'message.txt' will contain the decrypted version of the message.

Useful Links

Autopsy and The Sleuth Kit

Autopsy is an open-source, digital forensic platform, that is capable of analysing all types of mobile devices and digital media, and is produced by an organisation called Basis Tech. It provides a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python.

Autopsy's graphical user interface provides access to the collection of command line tools found in The Sleuth Kit and is available on platforms including Microsoft Windows, Linux and macOS.

Useful Links

• Basis Tech:
• The Sleuth Kit.
• User interface layout.
• Data sources.
• Ingest modules.
• Tags.
• Reports.
• Tree viewer.
• Result viewer.
• Contents viewer.
• Keyword searches.
• Timeline.
• Third-party modules.

DD

DD is a utility for creating disk images for backup purposes or forensic investigation with other tools, such as Autopsy. It is included with Unix like operating systmes, such as Linux and macOS, as well as there being a downloadable version for Microsoft Windows.

A disk image can be created as follows. The 'if' is used to specify the input file, whilst the 'of' is used for the output file.

dd if=/dev/sda of=/tmp/sda/image.img

This image can be restored by reversing the process.

dd if=/tmp/sda/image.img of=/dev/sda

Useful Links

• DD for Windows.

Volatility

Volatility is an open-source memory forensics command line tool written in Python, that is used to analyse volatile memory, such as RAM, in a computer system. It consists of numerous plugins that work together to extract digital artifacts from memory dump files. It is maintained by the Volatility Foundation and is said to be the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. It also works with a number of different memory dump file formats, including those obtained from virtual machines.

Below is a sample of Volatility commands.

In order to get help with using Volatility, the 'h' option can be utilised.

python3 vol.py -h

If it is necessary to obtain information from the memory dump file about the host, this can be achieved as follows, where 'memdump.raw' is the name of the memory dump file.

python3 vol.py -f memdump.raw windows.info

Similar is possible for Linux and Mac by using 'linux.info' and 'mac.info' respectively.

A list of processes running at the time the memory dump was taken can be obtained in one of three ways.

python3 vol.py -f memdump.raw windows.pslist

python3 vol.py -f memdump.raw windows.psscan

python3 vol.py -f memdump.raw windows.pstree

The first of these extracts the processes from the doubly linked list that keeps track of processes in memory, similar to how they appear in Task Manager. Some malware however tries to unlink itself from this list to evade detection. To combat this, the second method just looks for data structures that look like processes, however, this can result in false positives. The third method lists all processes based on the parent process ID, utilising similar techniques to the second option.

As well as obtaining a list of processes, it is possible to list all DLL files associated with the processes.

python3 vol.py -f memdump.raw windows.dlllist

When the processes are listed, the process ID, or PID for short, is included. This can be used to dump the executables and DLL files associated with the process in question.

python3 vol.py -f memdump.raw windows.dumpfiles --pid 1234

The process command line arguments can also be listed.

python3 vol.py -f memdump.raw windows.cmdline

To search for signs of code injection within the memory dump, the 'malfind' plugin can be used.

python3 vol.py -f memdump.raw windows.malfind

To search for details of netowrk connections, the 'netscan' plugin can be utilised.

python3 vol.py -f memdump.raw windows.netscan.NetScan

The final example discussed here shows how YARA rules can be run against the dump file.

python3 vol.py -f memdump.raw windows.yarascan

Useful Links

• Volatility Documentation.
• Volatility Plugins.
• Volatility on PyPi.

More digital forensics tools

• FTK Forensic Toolkit - A digital forensics toolkit offering features such as full-disk forensic imaging, file decryption and password cracking, the parsing of registry files, the collection, processing and analysis of datasets, as well as advanced volatile memory analysis.
• Guymager - A free forensic imager for media acquisition.
• Magnet Acquire - Allows for the easy acquisition of forensic images of any iOS or Android device, hard drive, and removable media.
• Redline - Provides a means to investigate malicious activity on an endpoint through memory and file analysis.

PhishTool

PhishTool is a cloud-based platform that allows for the analysis of phishing emails, as well as providing a means to respond to phishing attacks. It looks at email headers, as well as any links and attachments that are included, to help determine the best course of action. It achieves this by integrating threat intelligence, and open-source intelligence (OSINT), to aid in the analysis of the emails.

PhishTool is provided as both a free, community-based offering for individuals, as well as a paid for offering that includes additional features for collaboration in a team.

Useful Links

CAPA

CAPA, short for Common Analysis Platform for Artifacts, is an open-source tool that is designed to identify the capabilities of executable files. This is achieved by analysing files using a set of rules that describe common behaviours, which allow the capabilities of the program to be determined. These capabilities could include network communication, file manipulation, and process injection, to name a few.

CAPA is particularly useful for malware analysis and threat hunting, with it being able to identify capabilities in executable files such as Portable Executables (PE), ELF binaries, .NET modules, and shellcode, as well as standard executable exe files.

Once CAPA has been downloaded, it can be run against an executable from a PowerShell command prompt.

capa.exe .\demo.exe

To view help information, the 'h' option can be used.

capa.exe -h

The 'v' option can be used to produce more verbose results.

capa.exe .\demo.exe -v

To make the results even more verbose, the 'vv' option can be specified.

capa.exe .\demo.exe -vv

The resulting output starts off with some basic information about the file, such as different hash values for the file, the operating system where its capabilities apply, and its format. The next part of the output relates to the tactics and techniques it employs, which are linked to the MITARE ATT&CK framework. This is followed by sections on Malware Attribute Enumeration and Characterization (MAEC), and the Malware Behaviour Catalogue (MBC). The first of these is a specialised language designed to encode and communication complex details about malware, whilst the latter is concerned with labelling malware, similarity analysis, and standardised reporting. Information on capabilities completes the output.

Useful Links

PeStudio

PeStudio is a tool for analysing executable files for the purposes of finding suspicious artifacts within them. It is available in both free and paid for versions, with additional functionality provided in the latter.

Once an executable file is loaded into the tool, the file hashes are automatically calculated and checked against VirusTotal, with the results shown within. VirusTotal checks the file hashes against numerous antivirus and antimalware providers and reports back on whether each one deems a file hash to be associated with a malicious file or not.

PeStudio allows for the analysis of several aspects of executable files, including file headers, and strings. The pro version also links any suspicious activity to the Mitre ATT&CK framework, which provides details regarding tactics, techniques and procedures of adversaries.

Useful Links

Snort

Snort is an open-source, network-based intrusion detection system (IDS) and intrusion prevention system (IPS). It can provide real-time network traffic analysis, enabling the monitoring of suspicious activity, such as attempts to take advantage of software flaws or unauthorised access, as well as analyse packet capture files, for the same types of activity.

A wide range of network-based attacks, such as malware infections, efforts at network reconnaissance, and denial-of-service attacks, to name a few, can be found with Snort. It uses a pre-established set of rules to do this.

Snort can be installed onto a stand-alone Linux based system and is also integrated into popular firewalls such as pfSense, Smoothwall, and OPNsense.

At its simplest, Snort can be started from the command line as follows.

sudo snort

If Snort is launched like this, with no further options specified, it is started in sniffer mode, where it captures network packets and displays the results out to the terminal.

To run Snort in intrusion detection mode, where it analyses network traffic to look for suspicious activity, a configuration file must be specified at start-up.

sudo snort -c /etc/snort/snort.lua

Any issues found will be displayed in the terminal by default. If it is necessary to validate the configuration file, this can be achieved by using the 'T' option.

sudo snort -T -c /etc/snort/snort.lua

Rather than having the results displayed in the terminal, if a directory is specified at start-up, any issues can be output to log files instead by using the 'l' option.

sudo snort -c /etc/snort/snort.lua -l /home/demo/Desktop

This will produce three log files, 'snort.alert.fast', 'snort.log', and 'snort.alert'. The log file 'snort.alert.fast' can be viewed via a normal text editor, such as Nano, Vi, or Mousepad, however, the remaining two files require the use of a package such as 'u2spewfoo' to be read, or any other software that supports the 'unified2' format.

sudo u2spewfoo snort.log

If Snort is required to analyse an existing packet capture file, rather than live traffic, this can be achieved using the 'r' option.

sudo snort -c /etc/snort/snort.lua -r demo.pcap -l /home/demo/Desktop

Useful Links

Suricata

Suricata can be used as either an network-based intrusion detection system (NIDS), or intrusion prevention system (NIPS), as well as providing other network security monitoring functionality. It is an open-source system developed and maintained by the Open Information Security Foundation (OISF), a community-run non-profit foundation.

Suricata uses a rule set and signature language to detect and prevent threats. It also runs on multiple platforms, including Microsoft Windows, Linux and macOS.

Useful Links

CyberChef

CyberChef is said to be the cyber Swiss army knife. It is a browser-based web application for carry out cyber related tasks including, simple encoding, complex encryption, creating binary and hexdumps, compression, and decompression of data, calculating hashes and checksums, IPv6 and X.509 certificate parsing, changing character encodings, and much more.

CyberChef provides many different operations that can be combined together to perform a larger task, referred to as a recipe, which can be saved for later use.

Useful Links

• CyberChef on Github.
• CyberChef documentation on Github.

FlareVM

FlareVM is a collection of tools that cover reverse engineering, malware analysis, incident response, forensic investigation and penetration testing. It was created by Mandiant, a subsidiary of Google Cloud, who is said to be a leader in dynamic cyber defence, threat intelligence, and incident response services.

FlareVM is designed to be installed on a Windows based virtual machine and includes a set of installation scripts to allow for the easy setup and maintenance of the environment.

Useful Links

• FlareVM on Github.

REMnux

REMnux is a Linux based platform that utilises Ubuntu and comes packaged with various tools for reverse engineering and analysis of malicious software.

The toolkit is made available as a pre-built virtual machine in OVA format. It is said to be widely used by malware analysts and security researchers, as well as those working in the field of digital forensics. It can be used for tasks such as static and dynamic malware analysis, memory forensics, network behaviour analysis and the examination of suspicious documents.

Useful Links

Security Onion

Security Onion is a free and open platform that includes tools for threat hunting, network security monitoring, and log management. It was first released in 2008 and is maintained by Security Onion Solutions. It is currently provided on the Oracle Linux operating system, although it can be installed on other Linux distributions.

Useful Links

NetworkMiner

NetworkMiner is said to be an open-source network forensic analysis tool, primarily designed for Microsoft Windows, although it does work on other operating systems, such as Linux and macOS, albeit with fewer features.

Its primary usage is parsing captured traffic and providing an overview of its activity. It can identify the hosts involved, the protocols used as well as the operating systems being utilised, based on information gleaned from the captured traffic. If any files have been transferred, these can be extracted, along with any credentials that are available.

It does have a sniffer mode for capturing live traffic, although, by the developers own admission, this is no substitute for solutions such as Wireshark. NetworkMiner is best for providing an overview of captured traffic, with a more detailed analysis done in something like Wireshark if necessary.

Useful Links

Tcpdump

Tcpdump is a command-line network packet analyser tool used for network monitoring and troubleshooting. It captures and displays packet data being transmitted or received over a network interface, providing detailed information about network traffic. This data can be saved in formats such as 'pcap' and 'pcapng', amongst others, for later analysis.

Tcpdump is commonly used by network administrators and security professionals to diagnose network issues, monitor network performance, and analyse network security threats.

Below is a sample of tcpdump commands.

In order to get help with using tcpdump, the 'h' option can be utilised.

tcpdump -h

The 'D' option can be specified to find the network adapters available on the system. This produces a numbered list of the adapters available.

tcpdump -D

From the above list of adapters, one of them can be specified by using the 'i' option, along with the corresponding number. The 'c' option can be used to specify a specific number of packets to capture. If the number of packets to capture isn't specified, then the packet capture will continue until 'Ctrl+c' is used to stop it. The results of this capture will be displayed directly on the screen.

sudo tcpdump -i 1 -c 15

It is also possible to specifiy an interface using its name, for example, 'eth0'.

sudo tcpdump -i eth0 -c 15

In order to save the capture to a file, the 'w' option can be used to specify the file name.

sudo tcpdump -i eth0 -c 15 -w output.pcap

The file produced can then be read using the 'r' option.

tcpdump -r output.pcap

Tshark

Tshark, which comes with Wireshark, offers similar functionality to Wireshark via the command line, for capturing network packets from a network interface. It provides various options to customise the capture process, such as setting the capture filter, specifying the capture duration, and saving the captured packets in various formats, including pcap, pcapng, text, and json.

Below is a sample of Tshark commands.

In order to get help with using Tshark, the 'h' option can be utilised.

tshark -h

The 'D' option can be specified to find the network adapters available on the system. This produces a numbered list of the adapters available.

tshark -D

From the above list of adapters, one of them can be specified by using the 'i' option, along with the corresponding number. The 'c' option can be used to specify a specific number of packets to capture. If the number of packets to capture isn't specified, then the packet capture will continue until 'Ctrl+c' is used to stop it. The results of this capture will be displayed directly on the screen.

tshark -i 1 -c 15

It is also possible to specifiy an interface using its name, for example, 'eth0'.

tshark -i eth0 -c 15

In order to save the capture to a file, the 'w' option can be used to specify the file name.

tshark -i eth0 -c 15 -w output.pcap

As well as being able to limit the number of packets captured it is also possible to apply a capture filter, using the 'f' option, to limit the type of traffic that is captured. The below example limits the traffic captured to just 'TCP' traffic.

tshark -i eth0 -f "tcp" -w output.pcap

The file produced can then be read using the 'r' option.

tshark -r output.pcap

If further details need to be analysed about a particular frame, the 'Y' option can be used to specify a display filter to limit the output to the frame in question, whilst the 'V' option, for verbose, is used to show further details.

tshark -r output.pcap -Y "frame.number==15" -V

Useful Links

• Tshark.
• Tshark.dev.
• Termshark - A terminal UI for tshark, inspired by Wireshark.
• Display filter reference.
• Address Resolution Protocol (ARP) parameters.
• Internet Control Message Protocol (ICMP) parameters.
• Transport Layer Security (TLS) parameters.
• Protocol numbers.

Wireshark

Wireshark is a tool that allows for the inspection of computer networks. It is commonly referred to as a traffic, protocol, or packet analyser. Packet analysis involves the interception of network data, or packets as they are known, for the purposes of deducing their contents, together with the parties involved in the exchange. It is said to be the world’s foremost and widely used network protocol analyser, which is used in both commercial and non-profit organisations, as well as government agencies and educational establishments.

Wireshark is free, open-source software, that runs on a number of different platforms including, Microsoft Windows, Linux and macOS. Some of its features include, live capture of network data, the ability to inspect hundreds of protocols, view and analyse network data through a graphical user interface, as well as decryption support for many protocols and much more.

Wireshark can be used in several different roles. Firstly, network engineers can use it to troubleshoot performance issues with the network. Security analysts can use it to investigate intrusion attempts, or to validate existing security controls. Forensic analysts can utilise Wireshark to gain an insight into security breaches, whilst penetration testers can search for sensitive information to find a way into a target network. These are just a small number of its uses.

Useful Links

• User’s Guide.
• Display filter reference.
• Mailing lists.
• Online tools.
• Wiki.
• Sample captures.
• Display filter reference.
• Address Resolution Protocol (ARP) parameters.
• Internet Control Message Protocol (ICMP) parameters.
• Transport Layer Security (TLS) parameters.
• Protocol numbers.

Zeek

Zeek, formerly Bro, is an open-source, passive network traffic analyser, that can be used for network security monitoring to support investigations into suspicious or malicious activity, as well as non-security related tasks, such as performance monitoring and troubleshooting.

Zeek provides a comprehensive set of logs describing network activity as well as built-in functionality for a range of analysis and detection tasks, including extracting files from HTTP sessions, detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, and much more.

Below is a sample of Zeek commands.

In order to check which version of Zeek is installed the 'v' option can be utilised.

zeek -v

If it is necessary to process an existing pcap file, the 'r' option can be used to achieve this. The 'C' option can be used in addition to ignore checksum errors.

zeek -C -r demo.pcap

Useful Links

• Log files.
• Log cheat sheet.
• Frameworks.
• Signatures.
• Scripts.
• Training platform.

Burp Suite

Burp Suite, or simply Burp for short, is a set of tools that can be utilised to carry out penetration testing on web applications. It was developed and is maintained by a company called Portswigger, and is available in three editions, a free community edition, as well as paid for professional and enterprise editions. Its functionality can be extended by installing add-ons, that are known as BApps.

Useful Links

Zed Attack Proxy

Zed Attack Proxy, or ZAP for short, is a penetration testing tool for finding vulnerabilities in web applications. Due to its ease of use, it can be used by security professionals, as well as developers and those involved in functional testing.

ZAP was initially started as a small project by the Open Web Application Security Project (OWASP), however, today it is maintained by a community of individuals from all over the world.

ZAP provides automated vulnerability scans, as well as a set of tools that allow for the discovery of security vulnerabilities manually.

Useful Links

A Security Information and Event Management (SIEM) solution provides a means to collect log data from multiple sources on a computer network, correlates this data and makes it searchable for monitoring purposes. Summaries of the data are also provided in the form of dashboards to aid in its analysis.

A Security Orchestration, Automation, and Response (SOAR) solution provides a means of integrating different security tools, such as SIEM, EDR and firewalls, to automate a response to certain events. This can be achieved through the use of predefined actions based on rules or playbooks, as well as artifical intelligence, resulting in, for example, the automatic quarantining of malware, blocking of IP addresses, or generating of alerts.

Elastic Stack

The Elastic Stack, otherwise known as the ELK Stack, isn't a traditional SIEM, it was originally developed to monitor application performance, however, today it is often used in the same vein as a purpose built SIEM.

Elastic Stack comprises of four components, Beats, Logstash, Elasticsearch and Kibana.

Beats includes a number of different types of agents that need to be installed on endpoint devices, such as workstations, servers and network infrastructure devices, that are to be monitored. These agents, also known as data-shippers, are used to collect the necessary data from sources, such as log files, and forward them on to the next component in the process.

Logstash receives the data from the beats, filters and normalises it into field and value pairs, then sends it on to Elasticsearch.

Elasticsearch allows for the storage of the normalised data, where it can be searched and analysed.

The final component, Kibana, provides a web-based interface where the data stored in Elasticsearch can be searched and visualised in the form of dashboards. The data can be searched using KQL or the Kibana Query Language.

Useful Links

Microsoft Sentinel

Microsoft Sentinel is said to be a cloud-native Security Information and Event Management (SIEM) solution that delivers scalable, cost-efficient security across multi-cloud and multiplatform environments. It also provides Security Orchestration, Automation, and Response (SOAR) functionality by allowing a response to incidents.

Microsoft Sentinel provides numerous connectors, enabling data collection from both on-premises environments, as well as cloud platforms, such as Azure, Amazon Web Services and Google Cloud Platform.

It utilises both behavioural analytics and anomaly detection to identify complex threats. AI is also incorporated to simplify and speed up the process of threat investigation and resolution. Automated responses are standardised with the use of playbooks.

Useful Links

• Microsoft Sentinel documentation.
• Kusto Query Language (KQL) documentation.

Splunk

Splunk Enterprise Security, a Security Information and Event Management (SIEM) solution from Splunk, a Cisco company, is made up of three components, A Forwarder, an Indexer and a Search Head.

The Forwarder acts like an agent and must be installed on endpoint devices that need to be monitored. Its purpose is to collect the necessary data from sources such as log files and forward it on to the next component in the solution. These endpoints could include user workstations, network infrastructure devices and servers, such as file servers, web servers and database servers.

The Indexer takes the data passed to it by the Forwarder and processes it. This processing involves preparing the data for searching and analysis purposes, and includes categorising the data, as well as normalising it into field value pairs.

The final part of the solution is the Search Head, which provides a web based graphical front end for searching and visualising the data through dashboards. The searching of the data can be achieved through the use of the Search Processing Language, or SPL for short.

Example Search Processing Language (SPL) Queries

Below are some example queries. These queries assume that the index and field names exist in the ingested data.

Search the index called 'windowslogs' for an account name 'FredBloggs'.

index=windowslogs AccountName=FredBloggs

Search the index called 'windowslogs' for destination IP addresses that start '192.168.'. Here, the '*' is used as a wildcard.

index=windowslogs DestinationIp=192.168.*

Search the index called 'windowslogs' for any events containing the term 'PowerShell'.

index=windowslogs | search Powershell

Limit the output from the index called 'windowslogs' to only show 'EventID', 'Hostname' and 'DestinationIp'

index=windowslogs | table EventID Hostname DestinationIp

Useful Links

Wazuh

Wazuh is an open-source Security Information and Event Management (SIEM) system based on OSSEC and Elastic Stack XDR (eXtended Detection and Response). Systems feed their logs into a SIEM, either directly, or indirectly via a log aggregator, which is sometimes used to reformat the logs into a suitable format. Wazuh then uses this combined log information to find likely security events by searching for Indicators of Compromise (IOC). A web-based dashboard is included to allow security professionals to visually see what is occurring. Information can be filtered as needed for specific purposes.

Wazuh agents installed on endpoints are used to feed information to a central server, providing security information on intrusion detection, file integrity monitoring, compliance checks, vulnerability detection, configuration assessments, and more. For agentless devices, such as firewalls, routers, and switches, log files can be ingested via Syslog, SSH and APIs.

Useful Links

MISP

MISP, or the Malware Information Sharing Platform, is an open-source tool, that facilitates the collection, storage and distribution of threat intelligence including malware, indicators of compromise, cyber attacks, and financial fraud. This information can be shared amongst a community of trusted entities.

MISP key features include the following:

• Threat intelligence sharing - Enables the sharing of threat information, such as malware samples, IP addresses, domain names, file hashes, and phishing indicators in a standardised format, such as STIX, or the Structured Threat Information Expression.
• Indicators of Compromise (IOC) management - Allows for the collection, storage, and correlation of IOCs for targeted attacks, financial fraud, vulnerabilities, and other malicious activity.
• Facilitates collaboration - Provides a means for collaboration on threat data both within an organisation, as well as a wider, trusted community.
• Automation and integration - APIs are provided to automate the ingestion and distribution of threat intelligence. Integration is possible with SIEMs, intrusion detection systems and other security monitoring tools.
• Flexible deployment - Deployment is possible on premises, in the cloud, or as a SaaS solution, for organisations of any size.
• Correlation and enrichment - Correlates IoCs across different datasets to identify related threats and can incorporate external sources, such as threat feeds and OSINT.
• Security and access control - Facilitates granular access control in order to manage who can view and share specific intelligence.

• MISP documentation.

OpenCTI

Open Cyber Threat Intelligence, or OpenCTI as it is better known, is an open-source platform that facilitates the storage and visualisation of cyber threat intelligence, such as threat campaigns, malware and Indicators of Compromise (IoCs).

OpenCTI key features include:

• Centralised threat intelligence management - Provides a means to collect and consolidate disparate threat feeds into a single platform, with support for both technical and non-technical intelligence.
• Standardised schema - Utilises the STIX 2.1 data model for structuring threat intelligence. This ensures interoperability with other systems.
• Visualisation and dashboards - Provides interactive graphs and dashboards to explore relationships between threat actors, campaigns, malware, and vulnerabilities.
• Automation and integration - Offers over 300 integrations with external tools and feeds, via connectors for importing and exporting data, along with APIs for automation.
• Case management and incident response - Streamlines incident response workflows by linking threat intelligence directly to cases, with support for role-based sharing and dissemination across teams.
• Knowledge structuring and GraphQL API - Built with a modern web application architecture and GraphQL API. This allows for flexible queries and integration with custom tools.
• Collaboration and sharing - Enables secure sharing of intelligence across teams and organisations, with role-based access control (RBAC) to ensure data is share appropriately.

• OpenCTI documentation.

Yeti

Yeti allows for the storage and management of forensics intelligence. It can consolidate information on observables, indicators of compromise (IoC), tactics techniques and procedures (TTPs), along with any other threat related knowledge.

Once Information is inside the system it can be easily searched to provide an indication of the nature of a threat and how to find it on a system. Data sources, analytics, and logic can be incorporated from other sources. Exporting of data in user-defined formats is also possible to allow it to be ingested into other applications, such as a Security Information and Event Management (SIEM) system.

Useful Links

More threat intelligence tools

• Hybrid Analysis - A malware analysis service that can be used to analyse files and URLs to detect threats, by using both static and dynamic analysis techniques within a sandbox environment.
• IPinfo - Shows information relating to an IP address, including any associated domains and companies, as well as geolocation data.
• MalwareBazaar - Provides a searchable database of malware samples for the purposes of sharing threat intelligence with the security community. Malware samples can also be uploaded and alerts can be set to track newly observed malware.
• VirusTotal - Analyses suspicious files, domains, IP addresses and URLs using over 70 antivirus scanners, as well as URL and domain block listing services, to detect malware.

Nessus

Nessus, developed by an organisation called Tenable, Inc, is an open-source vulnerability scanner. It is a tool that checks computers to find vulnerabilities that could be exploited. It can be used to check for vulnerabilities that allow unauthorised control or access to sensitive data, misconfigurations, as well as denial of service vulnerabilities and more.

Nessus uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack.

Useful Links

• Nessus Documentation.

Nikto

Nikto is an open-source tool, which can be used to scan web servers for vulnerabilities, misconfigurations, and outdated software. It provides various output formats for the results of scans, including plain text, XML, and CSV, which can be further utilised for easy post-attack analysis.

Nikto's functionality can also be extended with the use of custom plugins and scripts.

Below is an example of a basic scan that is initiated against a specific URL.

nikto -h http://example.com

A scan can also be narrowed down to a specific port.

nikto -h http://example.com -p 8080

The results of a scan can be output to, for example, plain text or HTML.

nikto -h http://example.com -o scan_results.txt

nikto -h http://example.com -o scan.html -Format html

Nmap

Scanning and enumeration are two common methods for compiling information about hosts and services on a network. Scanning refers to the use of various tools and techniques to survey a network for active hosts, open ports, and the types of services running on those ports. Enumeration refers to compiling detailed information about the discoveries made using scanning techniques, such as the operating system running on those hosts, the version of software running on its open ports, and even vulnerabilities associated with those versions.

Nmap, short for Network Mapper, is the most popular tool in this area. It is an open-source tool for exploring networks and auditing their security. It can be used to determine what hosts are available on a network, what services the hosts are running, what operating systems they are using, the type of packet filters and firewalls in use, and much more. As well as security auditing, it can also be useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Below is a sample of Nmap commands.

List all the options available with Nmap.

nmap -h

Scan a single IP address using a regular scan.

nmap 10.0.2.15

Scan two IP addresses at the same time using a regular scan.

nmap 10.0.2.15 10.0.2.16

Scan a range of IP addresses using a regular scan.

nmap 10.0.2.1-20

Scan a network with CIDR notation using a regular scan.

nmap 10.0.2.0/24

Scan selected TCP ports for a specified IP address using a regular scan.

nmap 10.0.2.15 -p T:21-25,80

Scan a selected protocol for a specified IP address using a regular scan.

nmap 10.0.2.15 -p https

Use a ping scan to discover hosts, without scanning for open ports.

nmap -sn 10.0.2.0/24

Scan a web address using a regular scan.

nmap www.example.com

Useful Links

• NMAP cheat sheet.
• The phases of an Nmap scan.
• Zenmap - Official cross-platform Nmap Security Scanner GUI.

More vulnerability scanning tools

• OWASP vulnerability scanning tools list.