The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) continues to grow its portfolio of open source security tools and administration scripts in its open source library online.
In the latest software drop, the agency released a tool – the CISA Hunt and Incident Response Program (CHIRP) – that aids in the collection of forensic evidence and indicators of compromise (IoC) from on-premise systems. The program initially can detect known IoCs associated with the SolarWinds Orion compromise discovered in December 2020. The release of the tool comes three months after the agency released a similar tool, Sparrow, for collecting forensics data from cloud systems.
While many organizations have the resources to create and maintain their own set of internal tools and scripts, the CISA tools could satisfy a demand from smaller companies and security teams that want to verify they have not missed a compromise, says Tim Conway, curriculum lead for industrial control systems at the SANS Institute.
"Where these tools can be helpful is for those organizations that do not have access to in-house resources or commercial tools and would spend quite a bit of money on consultants or products that they did not budget for," he says.
Overall, CISA has published more than a dozen tools and hundreds of scripts that its administrators and security teams frequently use. In addition to Sparrow and CHIRP, the federal agency has released a network traffic analysis tool named Malcolm, a domain scanning tool to detect issues with HTTPS and utility for scanning domains for compliance with e-mail best practices. A list sorted by popularity of the tools can be found on Github.
CHIRP is written in Python for Windows. Initially, the default is to focus on IOCs associated with the SolarWinds Orion breach, such as malware known as Teardrop and Raindrop that loads a beacon implant from Cobalt Strike, a legitimate penetration testing platform that has become increasingly popular with attackers. The program also identifies credential exfiltration scripts, some techniques used by malware to persist in environments, and a variety of enumeration and lateral movement techniques.
"The applications provided like CHIRP can be great resources for smaller organizations that do not already have access to similar commercial or open source tools or the resources available to customize and leverage the existing tools," he says. "From a learning perspective, it is important to provide information on what resources are available to security practitioners and hands-on lab experience in how to use them."
Of course, the attackers often adopt cybersecurity researchers' and security teams' tools as a way to make development easier and hide among legitimate activity, and these tools have likely been analyzed by sophisticated and nation-state attackers. Techniques such as "living off the land," where attackers use administration tools, have become extremely popular.
Defenders often leak a lot of information, such as security-control requirements and infrastructure information. Now attackers will be able to collect more information about the tools used by defenders to secure their networks.
"I have heard references throughout my career that we are in a chess game with adversaries, and if we are, it seems like one of the weirdest chess games played," says Conway. "Defenders are providing clear visibility to all of our pieces and where we are on the board ... meanwhile, we only get to discover where some of the adversary pieces are on the board after they have been there for a few months or years. I think we need to take some steps to help make the game a little more balanced."
While CISA's openness is commendable, Conway worries that the agency is exposing valuable information on defenders' tools and techniques. Reaching out to companies through information sharing and analysis centers (ISACs) or some other sector-related organizations may mitigate some of the risk, he says.
"It would be good to spend some time thinking about how this fails, before it does, and start by assuming these resources could have an adverse effect on a particular system," he says, "and assuming adversaries would target the tool repositories or run attack campaigns against critical infrastructure organizations who would be interested in obtaining the tools."