Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

09:00 AM

CISA Builds Out Defensive Tools for Security Teams

Need a tool to hunt for attacks in your network? The DHS agency bolsters the offerings in its open source toolbox.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) continues to grow its portfolio of open source security tools and administration scripts in its open source library online.

In the latest software drop, the agency released a tool – the CISA Hunt and Incident Response Program (CHIRP) – that aids in the collection of forensic evidence and indicators of compromise (IoC) from on-premise systems. The program initially can detect known IoCs associated with the SolarWinds Orion compromise discovered in December 2020. The release of the tool comes three months after the agency released a similar tool, Sparrow, for collecting forensics data from cloud systems.

Related Content:

Cobalt Strike & Metasploit Tools Were Attacker Favorites in 2020

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

While many organizations have the resources to create and maintain their own set of internal tools and scripts, the CISA tools could satisfy a demand from smaller companies and security teams that want to verify they have not missed a compromise, says Tim Conway, curriculum lead for industrial control systems at the SANS Institute.

"Where these tools can be helpful is for those organizations that do not have access to in-house resources or commercial tools and would spend quite a bit of money on consultants or products that they did not budget for," he says.

Overall, CISA has published more than a dozen tools and hundreds of scripts that its administrators and security teams frequently use. In addition to Sparrow and CHIRP, the federal agency has released a network traffic analysis tool named Malcolm, a domain scanning tool to detect issues with HTTPS and utility for scanning domains for compliance with e-mail best practices. A list sorted by popularity of the tools can be found on Github.

CHIRP is written in Python for Windows. Initially, the default is to focus on IOCs associated with the SolarWinds Orion breach, such as malware known as Teardrop and Raindrop that loads a beacon implant from Cobalt Strike, a legitimate penetration testing platform that has become increasingly popular with attackers. The program also identifies credential exfiltration scripts, some techniques used by malware to persist in environments, and a variety of enumeration and lateral movement techniques.

"The applications provided like CHIRP can be great resources for smaller organizations that do not already have access to similar commercial or open source tools or the resources available to customize and leverage the existing tools," he says. "From a learning perspective, it is important to provide information on what resources are available to security practitioners and hands-on lab experience in how to use them."

Of course, the attackers often adopt cybersecurity researchers' and security teams' tools as a way to make development easier and hide among legitimate activity, and these tools have likely been analyzed by sophisticated and nation-state attackers. Techniques such as "living off the land," where attackers use administration tools, have become extremely popular. 

Defenders often leak a lot of information, such as security-control requirements and infrastructure information. Now attackers will be able to collect more information about the tools used by defenders to secure their networks. 

"I have heard references throughout my career that we are in a chess game with adversaries, and if we are, it seems like one of the weirdest chess games played," says Conway. "Defenders are providing clear visibility to all of our pieces and where we are on the board ... meanwhile, we only get to discover where some of the adversary pieces are on the board after they have been there for a few months or years. I think we need to take some steps to help make the game a little more balanced."

While CISA's openness is commendable, Conway worries that the agency is exposing valuable information on defenders' tools and techniques. Reaching out to companies through information sharing and analysis centers (ISACs) or some other sector-related organizations may mitigate some of the risk, he says.

"It would be good to spend some time thinking about how this fails, before it does, and start by assuming these resources could have an adverse effect on a particular system," he says, "and assuming adversaries would target the tool repositories or run attack campaigns against critical infrastructure organizations who would be interested in obtaining the tools."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/30/2021 | 7:45:29 PM
Way to bury the lead...
Jason Sudekis is a cyber sme?! :) Jk bud. Thanks for the article. Good read.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...