Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

09:00 AM

CISA Builds Out Defensive Tools for Security Teams

Need a tool to hunt for attacks in your network? The DHS agency bolsters the offerings in its open source toolbox.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) continues to grow its portfolio of open source security tools and administration scripts in its open source library online.

In the latest software drop, the agency released a tool – the CISA Hunt and Incident Response Program (CHIRP) – that aids in the collection of forensic evidence and indicators of compromise (IoC) from on-premise systems. The program initially can detect known IoCs associated with the SolarWinds Orion compromise discovered in December 2020. The release of the tool comes three months after the agency released a similar tool, Sparrow, for collecting forensics data from cloud systems.

Related Content:

Cobalt Strike & Metasploit Tools Were Attacker Favorites in 2020

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: In Secure Silicon We Trust

While many organizations have the resources to create and maintain their own set of internal tools and scripts, the CISA tools could satisfy a demand from smaller companies and security teams that want to verify they have not missed a compromise, says Tim Conway, curriculum lead for industrial control systems at the SANS Institute.

"Where these tools can be helpful is for those organizations that do not have access to in-house resources or commercial tools and would spend quite a bit of money on consultants or products that they did not budget for," he says.

Overall, CISA has published more than a dozen tools and hundreds of scripts that its administrators and security teams frequently use. In addition to Sparrow and CHIRP, the federal agency has released a network traffic analysis tool named Malcolm, a domain scanning tool to detect issues with HTTPS and utility for scanning domains for compliance with e-mail best practices. A list sorted by popularity of the tools can be found on Github.

CHIRP is written in Python for Windows. Initially, the default is to focus on IOCs associated with the SolarWinds Orion breach, such as malware known as Teardrop and Raindrop that loads a beacon implant from Cobalt Strike, a legitimate penetration testing platform that has become increasingly popular with attackers. The program also identifies credential exfiltration scripts, some techniques used by malware to persist in environments, and a variety of enumeration and lateral movement techniques.

"The applications provided like CHIRP can be great resources for smaller organizations that do not already have access to similar commercial or open source tools or the resources available to customize and leverage the existing tools," he says. "From a learning perspective, it is important to provide information on what resources are available to security practitioners and hands-on lab experience in how to use them."

Of course, the attackers often adopt cybersecurity researchers' and security teams' tools as a way to make development easier and hide among legitimate activity, and these tools have likely been analyzed by sophisticated and nation-state attackers. Techniques such as "living off the land," where attackers use administration tools, have become extremely popular. 

Defenders often leak a lot of information, such as security-control requirements and infrastructure information. Now attackers will be able to collect more information about the tools used by defenders to secure their networks. 

"I have heard references throughout my career that we are in a chess game with adversaries, and if we are, it seems like one of the weirdest chess games played," says Conway. "Defenders are providing clear visibility to all of our pieces and where we are on the board ... meanwhile, we only get to discover where some of the adversary pieces are on the board after they have been there for a few months or years. I think we need to take some steps to help make the game a little more balanced."

While CISA's openness is commendable, Conway worries that the agency is exposing valuable information on defenders' tools and techniques. Reaching out to companies through information sharing and analysis centers (ISACs) or some other sector-related organizations may mitigate some of the risk, he says.

"It would be good to spend some time thinking about how this fails, before it does, and start by assuming these resources could have an adverse effect on a particular system," he says, "and assuming adversaries would target the tool repositories or run attack campaigns against critical infrastructure organizations who would be interested in obtaining the tools."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
3/30/2021 | 7:45:29 PM
Way to bury the lead...
Jason Sudekis is a cyber sme?! :) Jk bud. Thanks for the article. Good read.
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337.