swannysec Musings on InfoSec

Building an Analysis Toolkit Pt. 1



“A wise man without a book is like a workman with no tools.” - Supposed Moroccan Proverb

Where we’re going, both knowledge (books), and analytical aids (tools) will be required. Anyone working in security can attest to the fact that there’s simply too much going on at any given time to process and store solely in one’s own mind. This is particularly true when investigating something that may lead to hundreds, if not thousands of related domains, IP addresses, e-mails, or file hashes.

Fortunately, the days of simple notepads are long behind us. And while I still use both paper notepads and Microsoft OneNote for spur of the moment scribbling and free-form thought storage, there are now a whole host of analytical aids that serve not only to store investigative material, but to enrich that data via lookups and API integrations of varying sorts. Such tools vary in focus, platform, cost, and complexity, so just about anyone should be able to find tools that are a good fit for their purpose, budget, and personal workflow.

In part two of this post, I’ll be covering my own personal choices for investigative tools and sharing how I set them up. The remainder of this post, however, contains the goods: a curated list of investigative and analytical tools that I’ve collected over time. Some of these are things I use daily and some are simply things on my to-do list to check out, but I think all of these have merit and are worthy of your time and attention to explore.

The list leans toward the free/cheap side of things so there won’t be a slew of enterprise-grade products contained therein. It should also be noted that some of the tools listed likely fall into more than one category depending on the breadth of their feature sets; therefore, I have tried to give them the most logical home according to my own twisted mind. Finally, individual threat feeds, honeypots, and tools with more specific technical purposes such as deobfuscation or reversing are largely beyond the scope of this list. Enjoy.

Swanny’s Big List of Security Analysis Tools

Journaling/Incident Tracking/Note-taking

Name Description
FIR Fast Incident Response. Lightweight IR management platform. Will track and correlate manually entered IOCs.
SCOT Sandia Cyber Omni Tracker. IR management platform with robust IOC tracking/correlation and plugins for integration with other tools.
RTIR Request Tracker for Incident Response. Just what it sounds like. RT with built in workflows for IR.
threat_note Lightweight IoC tracking and enrichment, designed as a research tool.
Microsoft OneNote Great notetaking app. Store notebooks locally, or on cloud storage.
Evernote Robust cloud based notetaking app with great tagging system. Take note: No client-side encryption.
Cherrytree Simple local note-taking app with an organizational system similar to Evernote.

Threat Intelligence/IoC Aggregation and Processing

CIF Collective Intelligence Framework. Collects, aggregates, normalizes, and outputs IoCs in a variety of formats for operationalization. Can search via API/browser extensions as well. Self-hosted.
IntelMQ Collects and processes large volumes of threat intelligence from traditional feeds, pastebin, twitter, and more. Self-hosted.
CriticalStack Collects and aggregates threat intelligence and outputs to Bro signature files. Get creative and shape the output to your needs or wait for more output formats.
AlienVault OTX Open Threat Exchange. Free web-based threat intel collector/aggregator. Big focus on information sharing.
ThreatConnect Full threat intel platform. Enterprise-grade with a nice free feature set ideal for tracking and sharing IoCs individually or in a small team.
MISP Malware Information Sharing Platform. Great IoC management platform. Allows a variety of inputs and outputs and has a robust sharing framework.
CRITS Collaborative Research Into Threats. Similar concept to MISP, with a bigger focus on analysis.

Web-based Research Tools

PassiveTotal Excellent source of context for malware or IoC analysis. Whois lookups, passive DNS, SSL cert history, and tie ins with VirusTotal, Domaintools, Alienvault and more. Good free feature set.
ThreatCrowd Great search engine for IoCs complete with visualizations and RSS feeds. Free.
threatRecon Nice IoC lookup from Wapack Labs. Free after registration for 1000 searches a month.
malwr Online cuckoo malware sandbox analysis. Free.
VirusTotal Does this need a description? Analysis of files and URLs against known malware signatures and reputation data.
urlQuery URL lookup, provides whois and reputational data as well as running the page load through Snort and Suricata with advanced subscriptions.

Reconnaissance/Context Enrichment

Automater Given a domain or IP, gathers a boatload of useful intel from various web sources. Lightweight Python script.
Machinae Similar to Automater with more sources of intel, cleaner config, and additional inputs/outputs.
dnstwist Feed it a domain and it will spit out any existing domains that are similar. Useful when looking for fraud, phishing, or typosquatting.
FOCA Windows based recon tool for exploring/mapping domains and finding files, injection opportunities, or other security issues. Free.

Log Analysis/SIEM

Splunk Fantastic log analysis tool\SIEM with loads of integrations and flexibility. Allows for a ton of free-form analysis. Free to 500 MB/day indexing.
ELK Stack Elasticsearch, Logstash, Kibana. Open source log collector with great visualization via Kibana.
graylog Slightly easier to setup and use than ELK, has a growing featureset in visualization and plugins.

Visualization/Relationship Research

Maltego Industry standard for this type of work. Expensive, but decent free feature-set for getting started.
Orange Open-source visualization and data analysis.

Bonus Items - Random Stuff I Like

Dashkiosk Awesome rotating dashboard creator for static displays. Great for a NOC/SOC. Chromecast friendly!
Loki Scans hosts for presence of a variety of IoCs.
Gavel Nifty transforms for Maltego that allow an analyst to query traffic records, a lot of human intel possible here.


Author: John D. Swanson - Contact me at [email protected]
Opinions are my own and do not reflect those of my employer.
© 2018. All rights reserved.     Atom Feed