Blue Teaming

The blue team is the group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation. These are the defenders. I have provided a list of resources useful for blue teams.

 

Tools & Scripts

Honeypots

  • Kippo – a well-known medium-interaction SSH honeypot written in Python. This tool is designed to detect and log brute force attacks as well as the complete shell history performed by an attacker.
  • Glastopf – an HTTP-based honeypot written in Python. Glastopf has the ability of different vulnerability type emulations, with attack emulations including local and remote file inclusion, SQL injection, HTML injection via POST request, among others.
  • Artillery is not just a honeypot, but a monitoring tool and alerting system as well. With Artillery, you can set up the most common and most scanned ports, and blacklist anyone who tries to connect to them.

Sandboxing

  • Cuckoo Sandbox – a leading open source automation malware analysis tool. You can feed it potentially malicious files, and get reports on how the file behaves when executed in an isolated and safe environment.
  • Falcon Sandbox – a commercial product from Crowdstrike. Falcon Sandbox allows you to perform deep analysis of unknown threats and zero-day exploits, and provides threat intelligence and indicators of compromise, to provide actionable results that allow blue teams to better understand malware and in turn, build stronger defenses.
  • Firejail – a Linux SUID sandbox program written in C that helps reduce the risk of security breaches by sandboxing the running environment of untrusted applications, and allows the process and all of its descendants their private view of globally shared kernel resources. Additionally, it can sandbox servers, graphical apps and login sessions.
  • Valkyrie Comodo – an online file verdict system that employs numerous methods to test unknown files, to determine whether those files are malicious. One of Valkyrie’s strongest suits is detecting zero-day threats missed by traditional antivirus solutions. In order to ensure each submitted file is thoroughly analyzed, Valkyrie deploys both automatic and human analysis.

Incident Response

  • TheHive Project – 4-in-1 security incident response platform that allows collaborative investigation among the team, adding hundreds of thousands of observables to each investigation that can be created from their template engine, which can also be customized. When used in conjunction with their Cortex, you’ll have the ability to analyze numerous observables at once using more than a hundred analyzers, and contain and eradicate malware or security incidents.
  • GRR Rapid Response – an incident response open source framework focused on remote live forensics. This Python client is installed on target systems, with infrastructure that can manage and talk to clients.
  • The Mozilla Enterprise Defense Platform – better known as MozDef, will help you automate security incident response and provides a platform for blue teams to quickly and efficiently discover and respond to security incidents.
  • Cyphon – an open source tool that streamlines a number of incident response tasks through a unified platform. This platform receives, processes and triages security events and incidents in order to aggregate data, prioritize alerts, and provides blue teams with the ability to efficiently investigate and document those incidents.

Log management and analysis

  • Splunk – offers log management services and provides software that merges and indexes any and all log and machine data. It also gives you the ability to collect, store, index, search, correlate, analyze and report on any machine-generated data to detect and fix security issues.
  • Loggly – a cloud-based log management and analysis software that provides the ability to collect logs from your infrastructure, track their activity and analyze trends.
  • Fluentd – an open source data collector for a unified logging layer. With Fluentd you’ll be able to unify data collection and use, to enhance your understanding of data. With over 500 plugins that connect Fluentd with many sources and outputs, you’ll benefit from better informed use of your logs.
  • Sumo Logic – a log management and security analytics service. Cloud-based, it provides real-time insights by leveraging machine-generated data, similar to Splunk.

Adversary emulation

  • APTSimulator – an adversary emulation tool, but one that is designed with simplicity in mind. Installation and getting it running takes about a minute, and anyone can read, modify and or extend it. This Windows batch script uses different tools and output files, to make a system look as if it were compromised.
  • DumpsterFire – a cross-platform tool designed to build repeatable and distributed security events. Blue teams can customize event chains and simulate realistic cybersecurity scenarios to solidify their alert mapping.
  • Caldera – Built on the MITRE ATT&CK™ framework, Caldera is an automated adversary emulation framework that allows you to easily run breach and simulation exercises, and can even help with automated incident response.

Security Information and Event Management (SIEM)

  • OSSIM – One of the most commonly used open source SIEMs, OSSIM provides event collection and correlation. Some of its capabilities include asset discovery, vulnerability assessment, and intrusion detection, among others.
  • Elastic Stack – a group of products from Elastic that takes data from any source, and searches, analyzes, and visualizes that data in real-time. Formerly known as ELK Stack, it signifies Elasticsearch, Kibana, Beats and Logstash.
  • SIEMonster – affordable security monitoring software solution that is, in fact, a collection of the best open source security tools available, along with their own developments.

Endpoint Detection and Response

  • OSSEC – Open source and free, OSSEC performs log analysis, rootkit detection, Windows registry monitoring and much more. It detects and alerts on unauthorized file system modifications and malicious behavior, making it a great addition to your blue team toolkit.
  • Ettercap – a well known as an open source network security tool for man-in-the-middle attacks on LAN. Ettercap features sniffing of live connections, content filtering and supports active and passive dissection of many protocols.
  • Wazuh – an open source platform for threat detection, integrity monitoring and incident response. It allows you to collect, aggregate, index and analyze data and offers intrusion detection, vulnerability detection, cloud and container security, all in one platform

Network Security Monitoring (NSM)

  • Zeek – Formerly known as Bro, Zeek is an open source network security monitoring platform that sits on a hardware, software, virtual or cloud platform and observes network traffic, interprets what it sees and creates transaction logs, file content and fully customized output, which is suitable for manual analysis.
  • Wireshark performs deep analysis of hundreds of protocols, live capture and offline analysis, VoIP analysis, and captures files compressed with gzip and decompresses them.
  • RITA – Real Intelligence Threat Analysis, or RITA, is an open source framework for network traffic analysis. It supports beaconing detection, DNS tunneling detection and blacklist checking.
  • Maltrail – a malicious traffic detection system, is an open source tool that utilizes publicly available blacklists of malicious and suspicious trails, as well as static trails compiled from various AV reports and custom user defined lists. Additionally, it uses advanced heuristic mechanisms to help identify unknown network threats.

Threat Detection

  • Yara – This tool will help you identify and classify malware samples, and create descriptions of malware families, with each description consisting of a set of strings and boolean expressions which determine its logic.
  • HELK – The Hunting ELK, or HELK for short, is an open source threat hunting platform that provides advanced analytics capabilities such as SQL declarative language, structured streaming, machine learning via Jupyter notebooks and Apache Spark over the ELK (now Elastic) Stack. This tool helps improve the testing and development of threat hunting use cases and enables data science capabilities.

Network Defense

  • ModSecurity – ModSec, is an open source web application firewall that offers real-time application security monitoring and access control, full HTTP traffic logging, continuous passive security assessment, web application hardening and more.
  • Snort – A network intrusion detection and prevention system, SNORT is an open source tool offering real-time traffic analysis and packet logging. SNORT is one of the more commonly used intrusion prevention systems and it offers protocol analysis, content searching and matching.
  • pfSense – Their free community edition offers not only a firewall, but also a state table, server load balancing, network address translator, a VPN, and much more.
  • CSF – ConfigServer Security & Firewall, or CSF, is another system firewall, or more specifically, a firewall configuration script, as well as a login/intrusion detection application for Linux servers that configures a server’s firewall to deny public access to services and only allows certain connections, such as checking emails or loading websites. This suite of scripts provides SPI iptables firewall script and a Daemon process that checks for login authentication failures that compliment the CSF.