Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

09:00 AM

CISA Builds Out Defensive Tools for Security Teams

Need a tool to hunt for attacks in your network? The DHS agency bolsters the offerings in its open source toolbox.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) continues to grow its portfolio of open source security tools and administration scripts in its open source library online.

In the latest software drop, the agency released a tool – the CISA Hunt and Incident Response Program (CHIRP) – that aids in the collection of forensic evidence and indicators of compromise (IoC) from on-premise systems. The program initially can detect known IoCs associated with the SolarWinds Orion compromise discovered in December 2020. The release of the tool comes three months after the agency released a similar tool, Sparrow, for collecting forensics data from cloud systems.

Related Content:

Cobalt Strike & Metasploit Tools Were Attacker Favorites in 2020

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

While many organizations have the resources to create and maintain their own set of internal tools and scripts, the CISA tools could satisfy a demand from smaller companies and security teams that want to verify they have not missed a compromise, says Tim Conway, curriculum lead for industrial control systems at the SANS Institute.

"Where these tools can be helpful is for those organizations that do not have access to in-house resources or commercial tools and would spend quite a bit of money on consultants or products that they did not budget for," he says.

Overall, CISA has published more than a dozen tools and hundreds of scripts that its administrators and security teams frequently use. In addition to Sparrow and CHIRP, the federal agency has released a network traffic analysis tool named Malcolm, a domain scanning tool to detect issues with HTTPS and utility for scanning domains for compliance with e-mail best practices. A list sorted by popularity of the tools can be found on Github.

CHIRP is written in Python for Windows. Initially, the default is to focus on IOCs associated with the SolarWinds Orion breach, such as malware known as Teardrop and Raindrop that loads a beacon implant from Cobalt Strike, a legitimate penetration testing platform that has become increasingly popular with attackers. The program also identifies credential exfiltration scripts, some techniques used by malware to persist in environments, and a variety of enumeration and lateral movement techniques.

"The applications provided like CHIRP can be great resources for smaller organizations that do not already have access to similar commercial or open source tools or the resources available to customize and leverage the existing tools," he says. "From a learning perspective, it is important to provide information on what resources are available to security practitioners and hands-on lab experience in how to use them."

Of course, the attackers often adopt cybersecurity researchers' and security teams' tools as a way to make development easier and hide among legitimate activity, and these tools have likely been analyzed by sophisticated and nation-state attackers. Techniques such as "living off the land," where attackers use administration tools, have become extremely popular. 

Defenders often leak a lot of information, such as security-control requirements and infrastructure information. Now attackers will be able to collect more information about the tools used by defenders to secure their networks. 

"I have heard references throughout my career that we are in a chess game with adversaries, and if we are, it seems like one of the weirdest chess games played," says Conway. "Defenders are providing clear visibility to all of our pieces and where we are on the board ... meanwhile, we only get to discover where some of the adversary pieces are on the board after they have been there for a few months or years. I think we need to take some steps to help make the game a little more balanced."

While CISA's openness is commendable, Conway worries that the agency is exposing valuable information on defenders' tools and techniques. Reaching out to companies through information sharing and analysis centers (ISACs) or some other sector-related organizations may mitigate some of the risk, he says.

"It would be good to spend some time thinking about how this fails, before it does, and start by assuming these resources could have an adverse effect on a particular system," he says, "and assuming adversaries would target the tool repositories or run attack campaigns against critical infrastructure organizations who would be interested in obtaining the tools."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/30/2021 | 7:45:29 PM
Way to bury the lead...
Jason Sudekis is a cyber sme?! :) Jk bud. Thanks for the article. Good read.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.