There are many great, paid for cyber security tools. However, what if you are working on a budget, want to set up a research lab or looking for alternatives to the norm?

If any of the above apply to you, then here are some great free, open source cyber security tools. Covering everything from SIEM, Antivirus, Threat Intelligence and much more.

A lot of these tools, in my opinion, are actually better than their paid-for alternatives. I have tried to include all the tools you need to set up a SOC, research lab; or just security monitoring within a small business.

The HIVE, CORTEX and MISP (Incident Response, IOC Analyzer and Threat Sharing)

I think it is worthwhile listing these three together, they all tie in together brilliantly. To learn how to set this up well, look at this fantastic blog post – https://blog.agood.cloud/posts/2019/10/12/wrapup-of-thehive-misp-cortex/.

MISP (Malware Information Sharing Platform) – A platform for sharing, storing and correlating Indicators of Compromises of targeted attacks but also threat intelligence such as threat actor information, financial fraud information and many more different indicators.

TheHive – The Hive is a free, scalable 4-in-1 open source security incident response platform designed to make life easier when dealing with security incidents that need to be investigated and acted upon swiftly.

Cortex – A powerful free and open source analysis engine, you can analyze (and triage) observables such as IPs, URLs and hashes at scale using more than 100 analyzers, such as VirusTotal.

AIL FRAMEWORK – ANALYSE AND DETECT INFORMATION LEAKS

Second tool created by the guys over at Circl.lu. I would recommend monitoring their twitter and website as they do some great work.

The AIL Framework is a modular framework to analyse potential information leaks from unstructured data sources, like pastes from Pastebin or similar services or unstructured data streams. The AIL framework is flexible and can be extended to support other functionalities to mine or process sensitive information (e.g. data leak prevention).

The AIL Framework can also be used create events on MISP and cases on the Hive.

SNORT – NETWORK INTRUSION AND DETECTION SYSTEM

Snort is a free and open-source Network Intrusion Prevention and Detection System. It uses a rule-based language, performs protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes. This includes buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

CLAMAV – ANTIVIRUS

Clam AntiVirus is a free software, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses.

One of its main uses is on mail servers as a server-side email virus scanner. However, it is suitable for any system.

OSSIM – OPEN SOURCE SIEM

OSSIM from Alienvault is a feature-rich, open source SIEM complete with event collection, normalization and correlation. It includes things such as Asset Discovery, VM, intrusion detection, UBA and correlation out of the box.

Another bonus of OSSIM is the fact it can be linked to the popular Alienvault Threat Exchange. This allows alerting on potential connections with malicious actors.

WAZUH – HOST INTRUSION DETECTION / MONITORING

Wazuh is a free, open-source host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. 

ZEEK – NETWORK SECURITY MONITORING

Zeek is a bit different. It is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.

PFSENSE – FIREWALL

pfSense is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

MODSECURITY – WEB APPLICATION FIREWALL

ModSecurity is an open-source web application firewall (WAF). It provides an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx.

PACKETFENCE – NETWORK ACCESS CONTROL

PacketFence is an open-source network access control (NAC) system which provides the following features: registration, detection of abnormal network activities, proactive vulnerability scans, isolation of problematic devices, remediation through a captive portal, 802.1X, wireless integration and User-Agent / DHCP fingerprinting.

CALDERA AND BLOODHOUND – ADVERSARY EMULATION

Caldera and Bloodhound are both ways you can test these defenses you have set up, but they have different purposes.

Caldera is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response.

Bloodhound is an open source application used for analyzing security of active directory domains. The tool is inspired by graph theory and active directory object permissions. The tool performs data ingestion from Active Directory domains and highlights the potential for escalation of rights in Active Directory domains, thus uncovering hidden or complex attack paths that can compromise security of a network.

I hope you have found this article helpful. Using these tools will allow you to set up a cheap security function, a research lab; or replace existing tools.

If you have any questions about setting up any of the above tools, I am happy to help. Contact me via https://blueteamblog.com/contact-me or https://twitter.com/blueteamblog