Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor
How to integrate Open-Sources EDR Tools into your Cybersecurity Ecosystem
Last updated on December 6, 2023
There’s a common saying in cybersecurity: “antivirus software is not enough.” Antiviruses often can’t handle the more advanced threats that are designed to evade basic detection methods.
To counter these sophisticated threats, a new solution was needed. That’s where EDR comes into play. Open-source Endpoint Detection and Response (EDR) tools have emerged as vital allies in the ongoing battle against cyber threats.
The Open-source Endpoint Detection and Response (EDR) tools, accessible and adaptable, provide an essential layer of defense, empowering organizations to detect, investigate, and respond to cyber incidents effectively. Let’s explore some of them together:
OSSEC is open-source and free software that offers HIDS, HIPS, log analysis, real-time Windows registry monitoring, and other EDR features. The software can be downloaded from the official website or the developer’s GitHub page. OSSEC is mostly addressed to large enterprises, SMBs, and governmental agencies in search of server intrusion detection systems and/or solutions.
LIDS (Log-based Intrusion Detection)
Scans and analyses log data coming from multiple endpoints.
Malware and Rootkit Detection capabilities
Employs process- and file-level scanning to detect dormant or active malicious applications, rootkits included.
Firewall policy benchmarking, support for integrating with/in 3rd party apps. OSSEC’s active response feature also mentions something about “self-healing actions” but fails to elaborate.
FIM (File Integrity Monitoring)
Real-time windows and file registry monitoring. Capable of producing forensic copies to facilitate data analysis in case of system changes.
Information-gathering platform. Able to retrieve various types of software and hardware data: listeners, hardware info, installed software, versioning, utilization rate, and network services.
OSSEC boasts compliance with many of the common industry standards such as CIS and PCI-DSS. The software is compatible with Windows, Linux, OpenBSD, macOS, Solaris, and FreeBSD. No support for mobile platforms such as Android or Mac OSX.
TheHive Project is a “security incident response (platform) for the masses”, leveraging open-source, scalable, and free solutions. The product is designed to aid CERTs, SOCs, and CSIRTs in drafting security incident reports faster and elaborate actionable strategies based on various cues such as observables or custom-created alerts.
In essence, TheHive Project is a collaboration platform, that allows multiple users (i.e. investigators or analysts) to work on the same investigation at the same time. The platform offers powerful collaboration features such as live streaming, real-time information, task assignments, and more.
OTA, cloud-hosted, real-time collaboration. Advanced note-drafting functions: customized tags, password-protected ZIP or RAR archives, progress tracker, import ZIP archives containing suspicious data and/or malware, custom templates, simple or elaborate metrics, and much more.
Advanced filtering options
Capable of handling hundreds of observables. Users can import or create alerts based on any event or alarm. Customer filtering is available. Once the investigation draft is completed, the template can be quickly exported and used to describe other similar occurrences.
Forensics and Incident Response
Cortex, TheHive Project’s proprietary “observable analysis, and active response engine” grants a granular overview of the observables (i.e. IP, URL, mail address, domain name, hashes, files, etc.) via a web interface. Other forensics and incident response features – custom scrips, AP integration, advanced containment functions.
Incident reports can be drafted using analyzers from popular web services such as PassiveTotal, Google’s Safe Browsing, Onyphe, Shodan, VirusTotal, etc via the Cortex module. Multi-format parser (OLE, OpenXML); can be used to detect Visual Basic macros embedded in documents.
Python API for polling analyzers from various sources
TheHive4py’s Python API is an EDR tool that facilitates case creation by granting the investigator access to sources such as SIEM and/or email. According to the product description, this API can become an invaluable tool in the fight against Business Email Compromise.
osQuery is an open-source, Apache-licensed device querying software that increases the visibility over your connected devices. The product uses very basic SQL commands to create complex “relational data models”, simplifying investigations and/or audits. osQuery is intended for SMBs and enterprises.
A ‘lighter’, home-centric version is also available on the product’s official website. The software is compatible with Windows, macOS, CentOS, FreeBSD, and Linux (with some limitations).
Interactive querying console
Comprehensive SQL-powered console that gives you a bird’s eye view of your operating system. Augmented with tables and other tools, the console can help the user or investigator to quickly gather valuable system data.
Language binding is available. All components are modular and developed using open-source APIs.
Powerful host-monitoring daemon
Osqueryd, osQuery’s daemon can aggregate all query results and help you generate logs much faster. The resulting logs can provide you with insight into your system’s security, as well as other useful information: configuration, performance, infrastructure health, etc.
Other features: AWS logging, file integrity monitoring, YARA scanning, anomaly detection, process auditing, remote settings, advanced log aggregation settings, and more.
4. Nessus Vulnerability scanner
Nessus’ lightweight and open-source software is a communication port-scanning tool useful for detecting system vulnerabilities – entry points that can be exploited by malicious actors. This tool does not have full EDR capabilities, nonetheless, efficient in identifying security breaches. Nessus is compatible with devices running Linux, Windows, and macOS.
Custom scripting and multiple plug-ins
Nessus allows the user to write custom scripts by providing him with a scripting language. The agent also allows multiple plug-ins: server detection, processor information, Microsoft Windows ARP table, recent file history, Windows scan not performed with Admin Privileges, Microsoft Windows Last Boot Time, etc.
Upon vulnerability detection, the port scanner will also offer suggestions on how to resolve the vulnerability.
In-depth vulnerability scanning
After Nessus is deployed on the machine, it will perform up to 1,200 checks (passes) to detect system vulnerabilities.
SNORT is an open-source and robust intrusion prevention software that allows the user to identify e-threats by analyzing packet logging and real-time network traffic. The product is fully compatible with Fedora, Centos, FreeBSD, and Windows. SNORT is marketed as an easy-to-use EDR tool, useful for audits or investigations.
SNORT can be configured to run in three modes: sniffer (reads network packets and displays them on your console), packet logger (logs the content of each packet and stores them on your local disk), and NIDS (short for Network Intrusion Detection system; real-time analysis of network traffic.)
Tunneling Protocol Support for most common formats
SNORT supports the following tunneling protocols: PPTP over GRE, MPLS, GRE, IP in IP, ERSPAN.
Multiple NIDS Mode Output options
The NIDS module supports multiple output options: Fast alert, Full Alert mode, Unsock (can send the alert to a Unix-type socket), No alert (disables alerts), Console (displays fast-type alerts on your screen), and CMG (displays alerts in the CMG style).
6. Ettercap Project
Ettercap Project is a cross-platform, open-source EDR tool that simulates ARP Poisoning and Man-in-the-Middle attacks on LAN. This tool boasts various security options such as network traffic interception, active eavesdropping for the most common protocol, network security auditing, and protocol dissection.
Ettercap Project is compatible with Linux, Solaris, BSD, MacOS X, and Microsoft Windows.
Ettercap Project can reconfigure the network interface to run in two modes: Promiscuous, whereas a wired or wireless network interface controller causes the controller to route the incoming traffic directly to the CPU instead of controller-specific frames ARP poisoning.
Both modes yield precious forensic information. The user can determine how the system will act and react during a MiM attack.
Analyze how OS fingerprinting works in real time.
Use this option to filter incoming and outgoing packets by destination and IP source.
Ettercap’s capabilities can be enhanced through publicly available APIs and plug-ins.
7. Infection Monkey
Infection Monkey is a free and open-source cybersecurity posture assessment tool that simulates system breaches and APTs (Advanced Persistent Attacks). Guardicore’s software was developed for sysadmins who want to probe a company’s security infrastructure in search of vulnerabilities and investigators. Infection Monkey is compatible with Microsoft Windows, Linux, and macOS X.
Run real-life infection scenarios
Infection Monkey can simulate numerous types of malicious actions such as Shellshock, Sambacry, ElasticGroovy, Struts2, Weblogic, Hadoop, Credential Stealing, and Brute-Force logins.
Advanced detection capabilities
Guardicore’s tool boasts numerous detection methods such as Alerts on cross-segment traffic (check to determine if your global segmentation policies and rest are correctly enforced), tunneling (alerts the user if tunneling is detected), and credential analysis.
8. Cuckoo Sandbox
Cuckoo Sandbox is an open-source sandboxing environment that allows the user to quarantine, analyze, and dissect files exhibiting malicious behavior. The tool is compatible with Microsoft Windows, Linux, Mac OS X, and Android.
Powerful file analyzer
Can probe various file formats and types (documents, pdf files, executables, emails, etc.). The engine also allows the user to execute Cuckoo Sandbox in VM-type environments.
Advanced memory and network analysis
Probe process memory using YARA and Volatility. Network traffic can also be analyzed before dumping. It also applies to traffic encrypted with TLS or SSL.
9. GRR Rapid Response
GRR Rapid Response is an Apache-licensed, open-source incident response framework used in remote live forensics. The tool can be used to perform minute forensic analyses on a large number of endpoints. GRR, Rapid Response is compatible with Microsoft Windows, macOS X, and most Linux builds.
YARA Library support
Search and download features for registry entries and files
API developed in RESTful JSON and Web UI made with AngularJS. Client libraries include Go, PowerShell, and Python
Increase the scalability factor
It can be automated – schedule tasks for your clients
Mozilla’s MIG is a free-to-use forensics platform for remote endpoints. The tool is compatible with Windows, Linux, and Mac OSX. A beginner’s tool, but very helpful in providing accurate IOCs.
Memory, files, and network inspection
Full system auditing
As an open-source forensics tool, Mozilla’s MIG has limited capabilities mostly since Mozilla has stopped maintaining the product.
Before concluding the article, it’s crucial to revisit and grasp the concept of what EDR represents.
Deconstructing Endpoint Detection and Response
The term ‘EDR’ was first brought to the public attention in 2013 by Anton Chuvakin, Gartner’s Research Director for Technical Professionals, and the head of the Security and Risk Management Strategies team.
Chuvakin reaffirmed the need for a new malware-hunting methodology and tools capable of “detecting and investigating suspicious activities (and traces of such) other problems on host/endpoints.”
EDR is a strategic approach to malware, emphasizing digital prophylaxis (prevention), screening, and detection over mitigation (‘damage control’). It’s undoubtedly a huge leap from the classical detection and remediation methodology, based on post-intrusion behaviorism.
In other words, AV engines can only recommend security actions (i.e. cleaning, quarantining, deletion, etc.) based on how the potentially malicious file or element behaves while interacting with various processes.
Most ‘modern’ malicious content is specifically engineered to ‘do’ as much damage as possible after establishing a beachhead (i.e. infiltrating your endpoint and/or network).
From these statements, we can infer the following – the epistemological distinction between EDR and C.A.V.C.D.M. (Canonical AV-Centric Detection-Mediation methodology) is causality; antivirus-centric detection-mediation systems ‘deal’ with the e-threat after it has successfully infiltrated the endpoint and/or network, while EDR focuses on D&M before malware infiltration.
There are other aspects worth taking into consideration – under EDR, digital/computer forensics become the ‘backbone’ of threat detection.
Even the terminology expedites the same conclusion – I.O.A (Indicator of Attack), I.O.C (Indicator of Compromise), HIPS (Host-Intrusion Prevention System), and HIDS (Host-Intrusion Detection System).
Embracing the Endpoint Detection and Response Model
Full-scale adoption and deployment of the Endpoint Detection and Response model have been the primary goal of many businesses and institutions since 2011 – most cybersecurity analysts and researchers regard this year as a turning point (or boiling point) in malware evolution.
A Varonis report reveals that in Q3 2011, approximately 60,000 new ransomware strains have been detected.
The number of novel ransomware strains would have increased by a factor of three, reaching 200,000 by the end of Q3 2011. Marked by the rise of the infamous Chimera, 2015 is officially proclaimed the year of the ransomware – over 700,000 new ransomware strains and 300$ million disbursed to malicious actors.
Considering the (exponential) growth rate, the pervasiveness, and the mutational factor (hundreds of new strains were engineered every single day by committing minute modifications to an existing strain).
There was an electrifying outcry from the public – some form of counterstrike was required, or else the entire economy could have been brought to its heels in a matter of nanoseconds.
EDR, is by far, the only threat-hunting/threat-mitigation methodology capable of offsetting the balance. It was a gambit, but it paid off – slowly, but steadily, more and more companies and public institutions are integrating EDR into their cybersecurity ecosystems.
Of course, one cannot but wonder why all companies implement some of this, much-needed, EDR ‘padding’.
A NinjaRMM report offers some insight into this seemingly ‘intractableness’ on behalf of company owners and decision-makers. The report, which mostly targeted MSPs and IT Internal teams, pointed out that the greatest ‘showstopper’ for adopting EDR is the lack of budget.
Over 50% of respondents declared that EDR in IT Internal teams is not feasible since it entails costs that exceed the allotted budget for cybersecurity software/solutions. On the other hand, from an MSP’s point of view, the only objection behind EDR adoption is the lack of manpower (i.e. not enough qualified personnel to manage this type of cybersecurity ecosystem).
For some geographical areas, it was necessary to fast-track the implementation of EDR. As a result, the United States was among the first countries to recognize the merits of this approach and to expedite its deployment. A report made by Statista reveals that in 2019, over 10 billion malicious attacks were carried out.
Furthermore, the same report states that more than 50% of these attacks occurred in the United States. Other countries would soon follow in its steps: China, India, Indonesia, United Arab Emirates, Qatar, and several South American countries. Europe was among the last regions to greenlight the deployment of EDR.
Endpoint Detection and Response is an efficient threat-hunting/threat-remediation technology. Still, the cost alone can deter company owners or decision-makers from implementing it.
In the interim, if you plan on placing EDR on the company’s roadmap, a test drive is warranted. Fortunately, if you’re not ready to commit extensive resources to implement EDR, there are some free, open-source EDR tools you can try out. Below, you will find a small list of the most popular EDR tools on the web and how you can use them to increase your company’s ROI.
Endpoint Detection and Response has become the next gold standard of cybersecurity. Despite the slow and somewhat problematic adoption, companies and institutions have realized the importance of this extra security ‘padding’. EDR tools such as the ones described in the article are reasonable first steps towards global tech assimilation.
Heimdal Security offers the latest in cybersecurity protection against advanced cyberattacks. Our security solutions are designed to work with your company’s needs and budget.
Simple standalone security solutions are no longer enough.
Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.