As we know, there are many moving parts to building a Security Operations Centre (SOC). From a technological point of view, it is very important to count on open source to identify threats and reduce costs. From a DiD (Defense in Depth) point of view, there are many devices and technologies that must be used to build the SOC. Based on industry experience below, technologies can be used to build an appropriate SOC to monitor threats and detect anomaly to safeguard the company.
Mainly, since most attacks come from outside, it is very important to use proper controls at the network perimeter. By using open source products, we can reduce the cost of the product and support is not a must-have.
1. IDS / IPS: Snort
The intrusion detection system is very important and is required to monitor traffic to identify or detect anomaly and attacks. Snort is one of the open source network-based intrusion detection/prevention systems that can perform real-time traffic analysis with packet logging on Internet protocol networks. Snort has 5 important components that help detect attacks.
- Packet decoder
- Preprocessors
- Detection engine
- Registration and alert system
- Output modules
Using the above components, Snort can detect network-based attacks or probes, including operating system fingerprinting attempts, semantic URL attacks, buffer overflows, SMBs (Server Message Blocks), and stealth port scanning. It can also detect attacks on web applications such as SQL injections.
Since Snort is only an engine, it requires GUI for ease of use if you are not very familiar with the command line, so it is good to set up Snorby and also requires a normal web server application such as Apache.
Part of Snort's value is that it can be configured in three separate modes: as a network sniffer, packet logger, or full IDS. As such, it can be the core of an automated security system or a component that sits alongside an array of commercial products.
2. Vulnerability Scanner (OpenVAS)
To be a proactive type of security, it is very important to have a vulnerability scanner to analyze and confirm if any asset is running with critical vulnerabilities that can lead to a breach or security attack. The Vulnerability Scanner is a product that has several updated scripts that are useful for identifying vulnerabilities in the system or applications. Periodically scan systems, especially external systems or systems connected to the Internet, and patch them regularly.
Tip: For each update or deployment, it is mandatory to ensure that all systems or applications have patches for existing vulnerabilities.
There are several open source tools with limited licenses, such as OpenVAS. Regular NVT updates are useful for detecting emerging vulnerabilities.
The OpenVAS engine can be used with the Greenbone and Barnyard GUI database to complete results in the user interface. You can scan the entire system on the network and it is good to have an authenticated scan with domain credentials. Greenbone offers options for creating credentials, hosts, tasks and schedules in the user interface. For details, see http://openvas.org/
3. Nagios
Nagios monitors the network: Infrastructure, traffic, and attached servers all fall within the reach of its basic or extended capabilities. As with many other open source packages, Nagios is available in both free and commercial versions.
Nagios Core is the heart of the open source project, based on the free, open source version. Individual products can be monitored, and individual tasks can be performed, by plug-ins; there are roughly 50 "official" plug-ins developed by Nagios and more than 3,000 plug-ins contributed by the community.
Nagios's user interface can be modified through a front end for the desktop, web, or mobile platform, and configuration can be managed through one of the available config tools.
4. Maltego
Maltego is proprietary software used for open source intelligence and forensic analysis, developed by Paterva. Maltego focuses on providing a library of transformations for the discovery of open source data and visualizing that information in a graphical format, suitable for link analysis and data mining.
5. Vega
Vega es un escáner de seguridad web y una plataforma de prueba de seguridad web gratuita y de código abierto para probar la seguridad de las aplicaciones web. Vega puede ayudarlo a encontrar y validar la inyección SQL, la secuencia de comandos entre sitios (XSS), la información confidencial revelada inadvertidamente y otras vulnerabilidades. Está escrito en Java, basado en GUI, y se ejecuta en Linux, OS X y Windows.
6. Ettercap
If you need to test your enterprise network for resistance to man-in-the-middle attacks (MITM), then Ettercap is the tool for you. This program has been doing one thing – launching MITM attacks – since its initial release in 2001.
Ettercap has four basic modes of attack: IP-based, MAC-based, and two ARP-based strategies. You can decide which type of vulnerabilities to explore and look for how your environment responds to each.
In the process of scanning for a testing attack, Ettercap can provide a great deal of information about the network and its devices. As part of an overall security toolkit, Ettercap provides strong capabilities for MITM attacks and solid augmentation for analysis and visibility functions.
7. HoneyNet
Today, attackers become smarter every day, so it's good to have Honeynet to see and analyze the attack patterns that attackers try to know and defend. It is a very important technology that is mandatory to deceive the attacker and safeguard the assets. You can use Honeynet as internal or external honeynet depending on the requirement. Simply mimic the services used to prevent actual attacks. HoneyNet has mainly 4 components, as mentioned below.Nova user interface.
Honeyd engine.
Alpaca.
Quásar.
For more details on Honeynet, see https://www.honeynet.org/
8. Infection Monkey
Infection Monkey is a rather comprehensive testing tool designed to show you what can happen inside your network if an attacker is successful in breaching the perimeter. Developed and supported by GuardiCore, Infection Monkey is free and fully functioned.
The user interface is among Infection Monkey's notable features. While some open source security projects provide minimalist UIs or depend on plug-ins or skins for a GUI, Infection Monkey has a GUI that is on par with many commercial software tools.
Source code for Infection Monkey is available on GitHub, with an active developer community around the project. Other tools are critical for probing your defenses for breach vulnerabilities; Infection Monkey can show you why you should strengthen your entire infrastructure.
9. Delta
Many options exist for testing security on traditional networks. However, testing specific security issues that can accrue to software-defined networks (SDNs) is a still-developing field – and that's why Delta is important.
A project of the Open Networking Foundation (ONF), Delta looks for potential issues in an SDN and then probes the issues to help determine how exploitable they are. With a built-in fuzzing capability, Delta is designed to probe for the existence of both known and unknown network vulnerabilities.
Built on the foundation of previous ONF projects Florence and Poseidon, Delta's code and executables are available on GitHub and are still undergoing rapid development.
10. Lynis
Lynis is a tool that makes lists — lists of the applications and utilities it finds on Unix-based systems, lists of the versions of those systems, and lists of the vulnerabilities it finds in either the code or the configurations of each one.
With source code available on GitHub, Lynis has an active development community, with primary support coming from its creator, Cisofy. One of the special capabilities of Lynis is that, because of its Unix foundation, it is able to perform scanning and evaluation of popular IoT development boards, including the Raspberry Pi.
Technology vector created by macrovector_official - www.freepik.com