Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

3/29/2021
09:00 AM
50%
50%

CISA Builds Out Defensive Tools for Security Teams

Need a tool to hunt for attacks in your network? The DHS agency bolsters the offerings in its open source toolbox.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) continues to grow its portfolio of open source security tools and administration scripts in its open source library online.

In the latest software drop, the agency released a tool – the CISA Hunt and Incident Response Program (CHIRP) – that aids in the collection of forensic evidence and indicators of compromise (IoC) from on-premise systems. The program initially can detect known IoCs associated with the SolarWinds Orion compromise discovered in December 2020. The release of the tool comes three months after the agency released a similar tool, Sparrow, for collecting forensics data from cloud systems.

Related Content:

Cobalt Strike & Metasploit Tools Were Attacker Favorites in 2020

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

While many organizations have the resources to create and maintain their own set of internal tools and scripts, the CISA tools could satisfy a demand from smaller companies and security teams that want to verify they have not missed a compromise, says Tim Conway, curriculum lead for industrial control systems at the SANS Institute.

"Where these tools can be helpful is for those organizations that do not have access to in-house resources or commercial tools and would spend quite a bit of money on consultants or products that they did not budget for," he says.

Overall, CISA has published more than a dozen tools and hundreds of scripts that its administrators and security teams frequently use. In addition to Sparrow and CHIRP, the federal agency has released a network traffic analysis tool named Malcolm, a domain scanning tool to detect issues with HTTPS and utility for scanning domains for compliance with e-mail best practices. A list sorted by popularity of the tools can be found on Github.

CHIRP is written in Python for Windows. Initially, the default is to focus on IOCs associated with the SolarWinds Orion breach, such as malware known as Teardrop and Raindrop that loads a beacon implant from Cobalt Strike, a legitimate penetration testing platform that has become increasingly popular with attackers. The program also identifies credential exfiltration scripts, some techniques used by malware to persist in environments, and a variety of enumeration and lateral movement techniques.

"The applications provided like CHIRP can be great resources for smaller organizations that do not already have access to similar commercial or open source tools or the resources available to customize and leverage the existing tools," he says. "From a learning perspective, it is important to provide information on what resources are available to security practitioners and hands-on lab experience in how to use them."

Of course, the attackers often adopt cybersecurity researchers' and security teams' tools as a way to make development easier and hide among legitimate activity, and these tools have likely been analyzed by sophisticated and nation-state attackers. Techniques such as "living off the land," where attackers use administration tools, have become extremely popular. 

Defenders often leak a lot of information, such as security-control requirements and infrastructure information. Now attackers will be able to collect more information about the tools used by defenders to secure their networks. 

"I have heard references throughout my career that we are in a chess game with adversaries, and if we are, it seems like one of the weirdest chess games played," says Conway. "Defenders are providing clear visibility to all of our pieces and where we are on the board ... meanwhile, we only get to discover where some of the adversary pieces are on the board after they have been there for a few months or years. I think we need to take some steps to help make the game a little more balanced."

While CISA's openness is commendable, Conway worries that the agency is exposing valuable information on defenders' tools and techniques. Reaching out to companies through information sharing and analysis centers (ISACs) or some other sector-related organizations may mitigate some of the risk, he says.

"It would be good to spend some time thinking about how this fails, before it does, and start by assuming these resources could have an adverse effect on a particular system," he says, "and assuming adversaries would target the tool repositories or run attack campaigns against critical infrastructure organizations who would be interested in obtaining the tools."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edrock200
50%
50%
Edrock200,
User Rank: Apprentice
3/30/2021 | 7:45:29 PM
Way to bury the lead...
Jason Sudekis is a cyber sme?! :) Jk bud. Thanks for the article. Good read.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.