swannysec Musings on InfoSec

Building an Analysis Toolkit Pt. 1


“A wise man without a book is like a workman with no tools.” - Supposed Moroccan Proverb

Where we’re going, both knowledge (books), and analytical aids (tools) will be required. Anyone working in security can attest to the fact that there’s simply too much going on at any given time to process and store solely in one’s own mind. This is particularly true when investigating something that may lead to hundreds, if not thousands of related domains, IP addresses, e-mails, or file hashes.

Fortunately, the days of simple notepads are long behind us. And while I still use both paper notepads and Microsoft OneNote for spur of the moment scribbling and free-form thought storage, there are now a whole host of analytical aids that serve not only to store investigative material, but to enrich that data via lookups and API integrations of varying sorts. Such tools vary in focus, platform, cost, and complexity, so just about anyone should be able to find tools that are a good fit for their purpose, budget, and personal workflow.

In part two of this post, I’ll be covering my own personal choices for investigative tools and sharing how I set them up. The remainder of this post, however, contains the goods: a curated list of investigative and analytical tools that I’ve collected over time. Some of these are things I use daily and some are simply things on my to-do list to check out, but I think all of these have merit and are worthy of your time and attention to explore.

The list leans toward the free/cheap side of things so there won’t be a slew of enterprise-grade products contained therein. It should also be noted that some of the tools listed likely fall into more than one category depending on the breadth of their feature sets; therefore, I have tried to give them the most logical home according to my own twisted mind. Finally, individual threat feeds, honeypots, and tools with more specific technical purposes such as deobfuscation or reversing are largely beyond the scope of this list. Enjoy.

Swanny’s Big List of Security Analysis Tools

Journaling/Incident Tracking/Note-taking

Name Description
FIR Fast Incident Response. Lightweight IR management platform. Will track and correlate manually entered IOCs.
SCOT Sandia Cyber Omni Tracker. IR management platform with robust IOC tracking/correlation and plugins for integration with other tools.
RTIR Request Tracker for Incident Response. Just what it sounds like. RT with built in workflows for IR.
threat_note Lightweight IoC tracking and enrichment, designed as a research tool.
Microsoft OneNote Great notetaking app. Store notebooks locally, or on cloud storage.
Evernote Robust cloud based notetaking app with great tagging system. Take note: No client-side encryption.
Cherrytree Simple local note-taking app with an organizational system similar to Evernote.

Threat Intelligence/IoC Aggregation and Processing

CIF Collective Intelligence Framework. Collects, aggregates, normalizes, and outputs IoCs in a variety of formats for operationalization. Can search via API/browser extensions as well. Self-hosted.
IntelMQ Collects and processes large volumes of threat intelligence from traditional feeds, pastebin, twitter, and more. Self-hosted.
CriticalStack Collects and aggregates threat intelligence and outputs to Bro signature files. Get creative and shape the output to your needs or wait for more output formats.
AlienVault OTX Open Threat Exchange. Free web-based threat intel collector/aggregator. Big focus on information sharing.
ThreatConnect Full threat intel platform. Enterprise-grade with a nice free feature set ideal for tracking and sharing IoCs individually or in a small team.
MISP Malware Information Sharing Platform. Great IoC management platform. Allows a variety of inputs and outputs and has a robust sharing framework.
CRITS Collaborative Research Into Threats. Similar concept to MISP, with a bigger focus on analysis.

Web-based Research Tools

PassiveTotal Excellent source of context for malware or IoC analysis. Whois lookups, passive DNS, SSL cert history, and tie ins with VirusTotal, Domaintools, Alienvault and more. Good free feature set.
ThreatCrowd Great search engine for IoCs complete with visualizations and RSS feeds. Free.
threatRecon Nice IoC lookup from Wapack Labs. Free after registration for 1000 searches a month.
malwr Online cuckoo malware sandbox analysis. Free.
VirusTotal Does this need a description? Analysis of files and URLs against known malware signatures and reputation data.
urlQuery URL lookup, provides whois and reputational data as well as running the page load through Snort and Suricata with advanced subscriptions.

Reconnaissance/Context Enrichment

Automater Given a domain or IP, gathers a boatload of useful intel from various web sources. Lightweight Python script.
Machinae Similar to Automater with more sources of intel, cleaner config, and additional inputs/outputs.
dnstwist Feed it a domain and it will spit out any existing domains that are similar. Useful when looking for fraud, phishing, or typosquatting.
FOCA Windows based recon tool for exploring/mapping domains and finding files, injection opportunities, or other security issues. Free.

Log Analysis/SIEM

Splunk Fantastic log analysis tool\SIEM with loads of integrations and flexibility. Allows for a ton of free-form analysis. Free to 500 MB/day indexing.
ELK Stack Elasticsearch, Logstash, Kibana. Open source log collector with great visualization via Kibana.
graylog Slightly easier to setup and use than ELK, has a growing featureset in visualization and plugins.

Visualization/Relationship Research

Maltego Industry standard for this type of work. Expensive, but decent free feature-set for getting started.
Orange Open-source visualization and data analysis.

Bonus Items - Random Stuff I Like

Dashkiosk Awesome rotating dashboard creator for static displays. Great for a NOC/SOC. Chromecast friendly!
Loki Scans hosts for presence of a variety of IoCs.
Gavel Nifty transforms for Maltego that allow an analyst to query traffic records, a lot of human intel possible here.

Blog Setup


On choosing a blogging platform and setting up a no-nonsense blog.

When I decided to begin this endeavor, I almost decided not to blog the experience. I don’t enjoy narrative writing outside incident reports; it reminds me too much of my B.A. in Political Science. I’m also not a fan of most blogging platforms. Finding one that is a balance of ease of use, feature completeness, security (looking at you, Wordpress), and cost effectiveness can be a challenge.

I’m a big fan of clean and simple blogs. Brian Warehime’s Nullsecure.org is a prime example of what I like in a blog and served in large part as inspiration for this one. So initially I looked at the platform he chose, Ghost. Ghost is quite polished and preaches simplicity. It also seemed great from a feature standpoint, but as I dug in, it looked like many of the benefits were derived by subscribing as a Pro member, for $8/month. I’m a public sector employee working in education; needless to say, I don’t make a ton of money, so the idea of spending monthly just to host a blog didn’t sound appealing. I’d rather spend what I can on technical resources. Ghost does allow self-hosting for free, with fewer features, but I decided against that due to added complexity and a clunkier install process.

At that point, I went on the standard blog tour of many of the common names in the business such as Blogger and Wordpress, as well as some newer options like Medium. Ultimately, I stumbled into Tinypress. Tinypress offered dead-simple setup with a few clean themes, easy markdown drafting, and an Android app to boot. What I didn’t realize until I signed up was that it utilized GitHub Pages for hosting and Jekyll under the hood.

The setup process to get to a point where I could begin posting was no more than five minutes. Unfortunately, I quickly discovered the featureset for Jekyll running on GitHub Pages is somewhat limited due to the small number of GitHub Pages-friendly plugins. Basic things like social sharing buttons and tags are non-existent. So what did I do about it?

For social buttons, I initially looked at the buttons provided by the various social networks, but decided against these based on their need for javascript, the tracking inherently built-in to them, and their generally clunky nature. In the end, I chose the HTML button set provided by the kind folks over at SimpleShareButtons. These were easy to set up, they’re simple to add and format, and they do the job nicely without compromising anyone’s privacy. Check them out, they’re at the bottom of this post!

Getting tags up and running was a somewhat hairier proposition. There are loads of posts scattered across the internet regarding tag solutions and GitHub Pages. If you’re running a straight-up Jekyll instance, there are plugins for the purpose. As you might have guessed, GitHub doesn’t support these. After trying a number of solutions for GitHub-friendly tagging without any success, I found the solution provided by Sungjin Han over at meinside.pe.kr here. Again, straightforward and simple to set up with good results, mission accomplished!

My general impression of the Tinypress/GitHub Pages/Jekyll experience is that it’s a perfect option for either of two scenarios:

  1. You want a dead-simple no-frills blog free of any social integration or advanced features that can be easily edited and set up in minutes.
  2. You want a clean, straightforward blog and you’re willing to get your hands dirty with HTML, markdown (which is actually kramdown for those curious), and maybe some javascript to add in additional features such as social integration and post categorization that would otherwise be common to most blog platforms.

Overall I’m pleased with the results. I have a few minor issues to clean up, including a mixed content issue that appears to have been part of the Tinypress template I chose, but otherwise I’m satisfied with what I got for an evening’s worth of effort.

And Now for Something Completely Different...


In the words of the immortal Graham Chapman of Monty Python, “Right, what’s all this then?”

I have a confession: I’m burnt out.

I’ve been a security professional for the better part of seven years now. I’ve done everything from incident response, to network security (think firewalls/IDS), to risk assessments and security architecture. My industry demands that I be a jack-of-all-trades because we’re perpetually underfunded and undermanned. I’m the only person dedicated to security at an organization that protects almost 11-thousand users. Being spread that thin for that long will wear anyone out.

That said, I love my field. Information security is my passion and I want to continue to learn and grow. In an effort to focus that desire and avoid letting burnout beat me, I’ve decided to lay some groundwork for continuing professional development and share the journey here, mostly from a technical perspective.

So, other than a security professional, who am I? First and foremost, I’m the father of two wonderful children who challenge and delight me on a daily basis. I’m also a bit of a history/politics nerd, which actually serves me well in the information security field. I’m a football fan and a lover of craft beer. Finally, when I manage to carve the time, I still enjoy a good PC game; it’s hard not to when you were raised on Doom, Quake, and Descent.

What’s on tap? Much like Sir Bedevere, “I have a plan!”

Bedevere

Thankfully, my plan does not involve the misuse of Trojan rabbits. This blog will likely discuss professional development and my own journey from time to time, but the focus will be on the technical aspects of that work. I hope to share my experience as both a personal archive of the work and so that others may potentially benefit from the information. I have decided to focus my efforts on incident response, malware/intrusion analysis, and the curation and operationalization of threat intelligence. These are things I work on from time to time professionally, but despite the fact that I enjoy them immensely, they are not the focus of my job. I believe these areas are extremely valuable to any mature information security effort and I’d like to expand my horizons with regard to these specialties.

Thanks for reading, there’s more to come soon!



Author: John D. Swanson - Contact me at [email protected]
Opinions are my own and do not reflect those of my employer.
© 2018. All rights reserved.     Atom Feed