It has been almost 40 years since Richard Stallman wrote his manifesto defining open-source software. Since then, the computer security world has embraced his vision — at least for some software — and come to rely heavily upon it. The first tools that professionals choose are often open-source options because they come with the assurance and backing of a broad community. This code is part of the foundation that supports a secure and reliable internet.
Lately, scandals like the XZ Utils have given users pause. Is openness a dangerous vector for attacks? Are there other problems waiting? Defenders point out that while openness can make some attacks easier, it’s also the only reason independent reviewers can spot problems. Similar shenanigans in a proprietary stack could go undiscovered for much longer.
After all the fretting and questioning, the open-source software is often too good to ignore. There are hundreds of good open-source options that remain essential to accomplishing the work of preventing incursions and data loss in enterprise stacks everywhere. For all the potential for more incursions like the attack on XZ Utilities, the advantages of the open-source tools far outweigh any dangers.
Here are 7 open source security tools CSOs, CISOs and their teams rely on daily for specific use cases. The packages contain the wisdom and experience of the security community for finding and solving security vulnerabilities.
- ZAP
- Wireshark
- Bloodhound Community Edition
- Autopsy
- MISP
- Let’s Encrypt
- GNU Privacy Guard
ZAP for vulnerability research and scanning
The best programmers realize the limits of their knowledge. ZAP (Zed Attack Proxy) is a penetration testing tool that was designed to overcome our personal limitations by collecting all the community’s understanding of potential vulnerabilities and weaknesses in web applications.
ZAP sits between the browser(s) of the security team and the web application being tested so it can modify any packets as it cycles through some of the possible attack vectors. It’s a proxy with enhanced capabilities for searching for weaknesses. Any pen tester can run through a collection of preset attacks codified in ZAP’s rule set. When needed, custom payloads and rules can be added to test particular dangers.
The system is being actively developed with an ambitious road map to add features like better scripting and broader support for more protocols like gRPC. Prebuilt packages for all major operating systems are also available.
Wireshark for packet analysis
One of the best ways to detect a data leak is to watch the communications lines and Wireshark is one of the best tools for revealing just what is traveling through the wired and wireless networks. The protocol analyzer, now revved past version 4.2, unpacks the bits and parses them according to the rules defined by 100s of different networking sources.
The contributions of several hundred professionals have slowly turned a simple program once known as Etherreal into a tool that will reveal the different parts of the elaborate communications protocols supported by modern networks. If you’re curious about a particular kind of data traffic from a particular software package, you can define a capture filter that watches for it and sets it aside for a set of display filters to format for analysis.
The tool runs on most operating systems including Windows, MacOS and practically every flavor of Unix.
In recent years, the community has attracted more who want to deliver better documentation and training. The website devoted to the tool now offers extensive manuals along with some video and text courses in learning how to use Wireshark to reveal what’s flowing through your wires.
Bloodhound Community Edition and Autopsy for incident response and forensics
When a security breach unfolds, the security experts turn to forensic tools to find clues by unpacking the databases, log files and strange corners of the operating system. A number of the best are open-source projects, not just for managing the software but also for delivering the collection of artifacts of known malware.
Bloodhound Community Edition is an open-source version of the enterprise tool for examining a collection of machines that have been compromised to find the attack path taken by the intruders. It uses a mixture of graph theory and knowledge of the Azure and Windows Active Directory to reveal the steps in any attack. Security teams can then use this information to understand what has been compromised, plug holes and improve security.
Autopsy is another thorough tool for exploring a hard disk image. Dozens of modules extend the software with specific strategies for uncovering data for particular types of intrusion. The Hash Lookup module, for instance, computes MD-5 and SHA-256 hashes of files and compares them to a database of known problematic files. The Extension Mismatch module looks inside files to see if the internal structure matches their name because a mismatch is a good indication that an attacker may be hiding something. Training, support and custom modules are also available.
DFIR teams can deploy both tools to approach a compromised computer and understand just what happened to it after an event.
MISP for threat intelligence
One of the areas where open source shines is in supporting broad, collective efforts and the Malware Information Sharing Platform, commonly known as MISP, is one of the best examples. The system collects scraps of intelligence about potential vectors of attacks and offers a search engine for indexing them for correlations. Investigators and DFIR teams rely upon it when they begin to analyze forensic images.
The then generated database supports a flexible data model with objects that represent the various indications of compromise (IoC). Both technical and non-technical details are stored at each node. If there are similarities between the attributes, the indexing algorithm which supports fuzzy matching will automatically discover the connections.
MISP was built to support collaborative work so teams can build shared timelines and event graphs through the graphical interface. Data can also be exported to support cross-linking with other tools using their native format (some include Suricata, Snort and Bro, OpenIOC, plain text, CSV, MISP XML or JSON).
The project is supported by the European Union and many of the local governments coordinate efforts through the various communities within the project. Source code for the web-based tools largely written in PHP are also available.
Let’s Encrypt and GNU Privacy Guard for encryption
Good encryption algorithms form the foundation for all security delivering privacy, authentication, and assurance. All of the standard algorithms are available in a number of open-source libraries and many of the tools that rely upon them are also open source —including Bouncy Castle, Java Cryptographic Extensions, GnuTLS among others.
Let’s Encrypt, for example, is a collection of scripts that make it easy for a system administrator to add content encryption to a web server. The scripts ask several basic questions and then handle all the chores of generating certificates that enable web users to protect the data they read and the forms they submit when the data is in motion.
GNU Privacy Guard is a complete implementation of the PGP standard for protecting communications. The goal is to make it possible for end users to both encrypt and sign their email messages. Secure Shell interactions and S/MIME interactions are also supported.
More open-source security tools still going strong
Open source has always been a rich source of tools for security professionals. Metasploit, the open-source penetration testing framework, was for a long time the best-known. But information security is not restricted to the realm of researchers, investigators, and analysts, and neither are the five open-source security tools we survey below. IT administrators and software developers have a key role to play, and with these five tools, they can make a difference.
Yara for pattern matching
Malware researchers like to use Yara, the open source project from VirusTotal’s Víctor Manuel Álvarez, to identify and classify malicious file samples. However, the “pattern-matching Swiss Army knife” can do much more than straight malware classification. It can also be useful as part of incident response and forensics investigations. You create rules—composed of text strings, hexadecimal values, or regular expressions—and Yara crawls through the suspicious directories and files looking for any matches. While scanning files is the most common usage, Yara can also use the rules to examine running processes.
By analyzing files with Yara, researchers from Kaspersky Lab and AlienVault were able to link the attackers who breached Sony to other attacks in Asia last year.
A common attack technique is to replace system files with imposters to establish a backdoor into the machine. One way to keep an eye on whether or not the system files are intact is to look at MD5 and SHA-1 hashes. Another is to set up Yara rules for multiple strings or values in the system files and regularly scan those files. If the scan fails to find matches, you know the files have been modified—time to investigate. If an attacker has been uploading copies of command shells to unknown locations, Yara can look for those copies.
In addition to the preconfigured rules and the rules you create, Yara can use the virus signature files of open source antivirus tool ClamAV, as well as the rule sets available from the community-maintained YaraRules repository. The repository has predefined rules for detecting known packers or flagging malicious processes, for example. It’s also possible to tap the VirusTotal private API to set up triggers when a file scanned in the environment matches a file that has been uploaded to VirusTotal’s malware database. Yara doesn’t have to be run from the command-line interface; it has a Python library to integrate it into Python scripts.
Able to spot unwelcome changes to files or detect tell-tale patterns (Social Security numbers, administrative credentials, and so on) in unwelcome places (like outgoing email attachments), Yara is a powerful tool with a seemingly endless number of uses. There are limits to signature-based detection, so it would be a bad idea to rely on Yara exclusively to find malicious files. But considering its flexibility, missing out on this tool would not be a good idea, either.
OSquery to query the endpoint for system state
Imagine if locating malicious processes, rogue plugins, or software vulnerabilities in your Windows, MacOS, and Linux endpoints were a simple matter of writing a SQL query. That’s the idea behind OSquery, an open source tool from Facebook engineers that collects operating system information such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, and file hashes into a relational database. If you can write a SQL query, that’s all you need to get answers to security questions—no complex code required.
For example, the following query would find all processes listening on network ports:
SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;
This query would find anomalies in the Address Resolution Protocol (ARP) cache, which contains information about IP addresses and their resolved Ethernet physical addresses:
SELECT address, mac, COUNT (mac)AS mac_count FROM arp_cache GROUP BY mac HAVING COUNT(mac)>1;
That’s much simpler than coding it in Python. OSquery tackles an important problem in a straightforward and elegant way (earning InfoWorld’s Technology of the Year award in 2017). The components include OSqueryi, an interactive shell that can be used with PowerShell, and OSqueryd, a daemon that performs low-level host monitoring and allows you to schedule queries.
There are many reasons why IT administrators may not be working with open source security tools, including concerns about maturity and support. More critical is the question of trust. Enterprises may be reluctant to rely on products from developers they know nothing about to protect their crown jewels.
The open source security projects on this list are backed by trusted names, and they should definitely be on your radar. Each of these tools addresses a specific security problem and leaves a limited footprint. It doesn’t hurt to give them a try. They could make a big difference in how you work—and the security of your environment.