Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor
How to integrate Open-Sources EDR Tools into your Cybersecurity Ecosystem
This post is also available in: Danish
Today’s e-threats have evolved. We, the digital denizens of the Internet, are faced with such intricately-crafted malware, that makes us ponder whether ‘tis better to abandon all hope and disconnect or search for better ways to protect our endpoints and personal information. Half a century ago, the Creeper System was released into the wild. It was to be the first mention of a ‘self-replicating computer virus’ in history.e
Today, viruses like the Creeper System, The Form, Ghostball, or Father Christmas belong behind a digital display case, being no longer able to harm our systems. However, ‘old’ habits die hard (or don’t). Viruses and worms have survived their own extinction, taking more virulent forms – ransomware, spyware, adware, fileless malware, and many other ‘ware’ that are bound to make you question your digital life etiquette.
In cybersecurity, there’s this well-trodden saying: “antivirus software is not enough”. Leaving aside the marketing implications, AVs are simply too ill-equipped to deal with sophisticated, high-end e-threats that are engineered to avoid rudimentary, behavioral-based detection.
This game-changing modus operandi would have needed an appropriate retort, on the Defenders’ side. Endpoint Detection and Response (EDR) was born.
Deconstructing Endpoint Detection and Response
The term ‘EDR’ was first brought to the public attention in 2013 by Anton Chuvakin, Gartner’s Research Director for Technical Professionals, and the head of the Security and Risk Management Strategies team. Chuvakin reaffirmed the need for a new malware-hunting methodology and tools capable of “detecting and investigating suspicious activities (and traces of such) other problems on host/endpoints.”
EDR is a strategical approach to malware, emphasizing digital prophylaxis (prevention), screening, and detection over mitigation (‘damage control’). It’s undoubtedly a huge leap from the classical detection and remediation methodology, based on post-intrusion behaviorism.
In other words, AV engines can only recommend security actions (i.e. cleaning, quarantining, deletion, etc.) based on how the potentially-malicious file or element behaves while interacting with various processes.
Most ‘modern’ malicious content is specifically engineered to ‘do’ as much damage as possible after establishing a beachhead (i.e. infiltrating your endpoint and/or network). From these statements, we can infer the following – the epistemological distinction between EDR and C.A.V.C.D.M. (Canonical AV-Centric Detection-Mediation methodology) is causality; antivirus-centric detection-mediation systems ‘deal’ with the e-threat after it has successfully infiltrated the endpoint and/or network, while EDR focuses on D&M before malware infiltration.
There are other aspects worth taking into consideration – under EDR, digital/computer forensics become the ‘backbone’ of threat detection.
Even the terminology expedites the same conclusion – I.O.A (Indicator of Attack), I.O.C (Indicator of Compromise), HIPS (Host-Intrusion Prevention System), and HIDS (Host-Intrusion Detection System).
My colleague covered all of the forensics parts of EDR and other technicalities in a recently published material. Feel free to consult her article for more information on how EDR changed the rules of the threat-hunting game.
Embracing the Endpoint Detection and Response Model
Full-scale adoption and deployment of the Endpoint Detection and Response model have been the primary goal of many businesses and institutions since 2011 – most cybersecurity analysts and researchers regard this year as a turning point (or boiling point) in malware evolution. A Varonis report reveals that in Q3 2011, approximately 60,000 new ransomware strains have been detected.
The number of novel ransomware strains would have increased by a factor of three, reaching 200,000 by the end of Q3 2011. Marked by the rise of the infamous Chimera, 2015 is officially proclaimed the year of the ransomware – over 700,000 new ransomware strains and 300$ million disbursed to malicious actors.
Considering the (exponential) growth rate, the pervasiveness, and the mutational factor (hundreds of new strains were engineered every single day by committing minute modifications to an existing strain). There was an electrifying outcry from the public – some form of counterstrike was required, else the entire economy could have been brought to its heels in a matter of nanoseconds.
EDR, is by far, the only threat-hunting/threat-mitigation methodology capable of offsetting the balance. It was a gambit, but it paid off – slowly, but steadily, more and more companies and public institutions are integrating EDR into their cybersecurity ecosystems.
Of course, one cannot but wonder why all companies implement some of this, much-needed, EDR ‘padding’?
A NinjaRMM report offers some insight into this seemingly ‘intractableness’ on behalf of company owners and decision-makers. The report, which mostly targeted MSPs and IT Internal teams, pointed out that the greatest ‘showstopper’ for adopting EDR is the lack of budget.
Over 50% of respondents declared that EDR in IT Internal teams is not feasible since it entails costs that exceed the allotted budget for cybersecurity software/solutions. On the other hand, from an MSP’s point of view, the only objection behind EDR adoption is the lack of manpower (i.e. not enough qualified personnel to manage this type of cybersecurity ecosystem).
For some geographical areas, it was necessary to fast-track the implementation of EDR. As a result, the United States was among the first countries to recognize the merits of this approach and to expedite its deployment. A report made by Statista reveals that in 2019, over 10 billion malicious attacks were carried out.
Furthermore, the same report states that more than 50% of these attacks occurred in the United States. Other countries would soon follow in its steps: China, India, Indonesia, United Arab Emirates, Qatar, and several South American countries. Europe was among the last regions to greenlight the deployment of EDR.
Endpoint Detection and Response is an efficient threat-hunting/threat-remediation technology. Still, the cost alone can deter company owners or decision-makers from implementing it.
In the interim, if you plan on placing EDR on the company’s roadmap, a test-drive is warranted. Fortunately, if you’re not ready to commit extensive resources to implement EDR, there are some free, open-source EDR tools you can try out. Below, you will find a small list of the most popular EDR tools on the web and how you can use them to increase your company’s ROI.
HEIMDAL™ ENDPOINT PREVENTION - DETECTION AND CONTROL
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Open-source EDR tools
OSSEC is open-source and free software that offers HIDS, HIPS, log analysis, real-time Windows registry monitoring, and other EDR features. The software can be downloaded from the official website or the developer’s GitHub page. OSSEC is mostly addressed to large enterprises, SMBs, and governmental agencies in search of server intrusion detection systems and/or solutions.
OSSEC EDR features
- LIDS (Log-based Intrusion Detection)
Scans and analyses log data coming from multiple endpoints.
- Malware and Rootkit Detection capabilities
Employs process- and file-level scanning to detect dormant or active malicious applications, rootkits included.
- Active response
Firewall policy benchmarking, support for integrating with/in 3rd party apps. OSSEC’s active response feature also mentions something about “self-healing actions” but fails to elaborate.
- FIM (File Integrity Monitoring)
Real-time windows and file registry monitoring. Capable of producing forensic copies to facilitate data analysis in case of system changes.
- System inventory
Information-gathering platform. Able to retrieve various types of software and hardware data: listeners, hardware info, installed software, versioning, utilization rate, and network services.
OSSEC boasts compliance with many of the common industry standards such as CIS and PCI-DSS. The software is compatible with Windows, Linux, OpenBSD, macOS, Solaris, and FreeBSD. No support for mobile platforms such as Android or Mac OSX.
For more information about the software and its EDR capabilities, please refer to the official OSSEC website.
2. TheHive Project
TheHive Project is a “security incident response (platform) for the masses”, leveraging open-source, scalable, and free solutions. The product is designed to aid CERTs, SOCs, and CSIRTs in drafting security incident reports faster and elaborate actionable strategies based on various cues such as observables or custom-created alerts.
In essence, TheHive Project is a collaboration platform, that allows multiple users (i.e. investigators or analysts) to work on the same investigation at the same time. The platform offers powerful collaboration features such as live streaming, real-time information, task assignation, and more.
TheHive Project features
- Dynamic dashboard
OTA, cloud-hosted, real-time collaboration. Advanced note-drafting functions: customized tags, password-protected ZIP or RAR archives, progress tracker, import ZIP archives containing suspicious data and/or malware, custom templates, simple or elaborate metric, and much more.
- Advanced filtering options
Capable of handling hundreds of observables. Users can import or create alerts based on any event or alarm. Customer filtering is available. Once the investigation draft is completed, the template can be quickly exported and used to describe other similar occurrences.
- Forensics and Incident Response
Cortex, TheHive Project’s proprietary “observable analysis and active response engine” grants a granular overview of the observables (i.e. IP, URL, mail address, domain name, hashes, files, etc.) via a web interface. Other forensics and incident response features – custom scrips, AP integration, advanced containment functions.
Incident reports can be drafted using analyzers from popular web services such as PassiveTotal, Google’s Safe Browsing, Onyphe, Shodan, VirusTotal, etc via the Cortex module. Multi-format parser (OLE, OpenXML); can be used to detect Visual Basic macros embedded in documents.
- Python API for polling analyzers from various sources
TheHive4py’s Python API is an EDR tool that facilitates case-creation by granting the investigator access to sources such as SIEM and/or email. According to the product description, this API can become an invaluable tool in the fight against Business Email Compromise.
Refer to the API’s documentation for more information regarding the product’s B.E.C capabilities.
osQuery is an open-source, Apache-licensed device querying software that increases the visibility over your connected devices. The product uses very basic SQL commands to create complex “relational data-models”, simplifying investigations and/or audits. osQuery is intended for SMBs and enterprises.
A ‘lighter’, home-centric version is also available on the product’s official website. The software is compatible with Windows, macOS, CentOS, FreeBSD, and Linux (with some limitations).
- Interactive querying console.
Comprehensive SQL-powered console that gives you a bird’s eye view of your operating system. Augmented with tables and other tools, the console can help the user or investigator to quickly gather valuable system data.
- Modular codebase
Language binding is available. All components are modular and developed using open-source APIs.
- Powerful host-monitoring daemon
Osqueryd, osQuery’s daemon can aggregate all query results and help you generate logs much faster. The resulting logs can provide you with insight into your system’s security, as well as other useful information: configuration, performance, infrastructure health, etc.
Other features: AWS logging, file integrity monitoring, YARA scanning, anomaly detection, process auditing, remote settings, advanced log aggregations settings, and more.
Refer to osQuery’s documentation for additional information regarding the product’s EDR capabilities.
4. Nessus Vulnerability scanner
Nessus’ lightweight and open-source software is a communication port-scanning tool useful for detecting system vulnerabilities – entry points that can be exploited by malicious actors. This tool does not have full EDR capabilities, nonetheless, efficient in identifying security breaches. Nessus is compatible with devices running Linux, Windows, and macOS.
- Custom scripting and multiple plug-ins
Nessus allows the user to write custom scripts by providing him with a scripting language. The agent also allows multiple plug-ins: server detection, processor information, Microsoft Windows ARP table, recent file history, Windows scan not performed with Admin Privileges, Microsoft Windows Last Boot Time, etc.
- Patching indicator
Upon vulnerability detection, the port-scanner will also offer suggestions on how to resolve the vulnerability.
- In-depth vulnerability scanning
After Nessus is deployed on the machine, it will perform up to 1,200 checks (passes) to detect system vulnerabilities.
For additional information, please consult Nessus’ official website.
SNORT is an open-source and robust intrusion prevention software that allows the user to identify e-threats by analyzing packet logging and real-time network traffic. The product is fully compatible with Fedora, Centos, FreeBSD, and Windows. SNORT is marketed as an easy-to-use EDR tool, useful for audits or investigations.
- Multi-mode deployment
SNORT can be configured to run in three modes: sniffer (reads network packets and displays them on your console), packet logger (logs the content of each packet and stores them on your local disk), and NIDS (short for Network Intrusion Detection system; real-time analysis of network traffic.)
- Tunneling Protocol Support for most common formats
SNORT supports the following tunneling protocols: PPTP over GRE, MPLS, GRE, IP in IP, ERSPAN.
- Multiple NIDS Mode Output options
The NIDS module supports multiple output options: Fast alert (the alert is jotted down in a simple format that includes the source, destination IP and/port, alert header and message, and the timestamp), Full Alert mode, Unsock (can send the alert to a Unix-type socket), No alert (disables alerts), Console (displays fast-type alerts on your screen), and CMG (displays alerts in the CMG style).
For additional information on how to configure SNORT, please refer to the developer’s official website.
6. Ettercap Project
Ettercap Project is a cross-platform, open-source EDR tool that simulates ARP Poisoning and Man-in-the-Middle attacks on LAN. This tool boasts various security options such as network traffic interception, active eavesdropping for the most common protocol, network security auditing, and protocol dissection. Ettercap Project is compatible with Linux, Solaris, BSD, MacOS X, and Microsoft Windows.
Ettercap Project features
Ettercap Project can reconfigure the network interface to run in two modes: Promiscuous, whereas a wired or wireless network interface controller causes the controller to route the incoming traffic directly to the CPU instead of controller-specific frames ARP poisoning. Both modes yield precious forensic information. The user can determine how the system will act and react during a MiM attack.
- OS fingerprinting
Analyze how OS fingerprinting works in real-time.
- IP-based filtering
Use this option to filter incoming and outgoing packets by destination and IP source.
- Plug-in support
Ettercap’s capabilities can be enhanced through publicly available APIs and plug-ins.
7. Infection Monkey
Infection Monkey is a free and open-source cybersecurity posture assessment tool that simulates system breaches and APTs (Advanced Persistent Attacks). Guardicore’s software was developed for sysadmins who want to probe a company’s security infrastructure in search of vulnerabilities and investigators. Infection Monkey is compatible with Microsoft Windows, Linux, and macOS X.
Infection Monkey features
- Run real-life infection scenarios
Infection Monkey can simulate numerous types of malicious actions such as Shellshock, Sambacry, ElasticGroovy, Struts2, Weblogic, Hadoop, Credential Stealing, Brute-Force logins.
- Advanced detection capabilities
Guardicore’s tool boasts numerous detection methods such as Alerts on cross-segment traffic (check to determine if your global segmentation policies and rest are correctly enforced), tunneling (alerts the user if tunneling is detected), and credential analysis.
8. Cuckoo Sandbox
Cuckoo Sandbox is an open-source sandboxing environment that allows the user to quarantine, analyze, and dissect files exhibiting malicious behavior. The tool is compatible with Microsoft Windows, Linux, Mac OS X, and Android.
Cuckoo Sandbox features
- Powerful file analyzer
Can probe various file formats and types (documents, pdf files, executables, emails, etc.). The engine also allows the user to execute Cuckoo Sandbox in VM-type environments.
- Advanced memory and network analysis
Probe process memory using YARA and Volatility. Network traffic can also be analyzed before dumping. It also applies to traffic encrypted with TLS or SSL.
9. GRR Rapid Response
GRR Rapid Response is an Apache-licensed, open-source incident response framework used in remote live forensics. The tool can be used to perform minute forensic analyses on a large number of endpoints. GRR, Rapid response is compatible with Microsoft Windows, macOS X, and most Linux builds.
GRR Rapid Response Features
- YARA Library support.
- Search and download features for registry entries and files.
- API developed in RESTful JSON and Web UI made with AngularJS. Client libraries include Go, PowerShell, and Python.
- Increase the scalability factor.
- It can be automated – schedule tasks for your clients.
- Extensive monitoring capabilities – I/O usage, CPU, memory, and user-defined parameters.
10. MIG by Mozilla
Mozilla’s MIG is a free-to-use forensics platform for remote endpoints. The tool is compatible with Windows, Linux, and Mac OSX. A beginner’s tool, but very helpful in providing accurate IOCs.
MIG’s features include – log analysis, memory inspection, files, and network inspection, full system auditing, vuln management, and more. As an open-source forensics tool, Mozilla’s MIG has limited capabilities mostly since Mozilla has stopped maintaining the product.
Endpoint Detection and Response has become the next gold standard of cybersecurity. Despite the slow and somewhat problematic adoption, companies and institutions have realized the importance of this extra security ‘padding’. EDR tools such as the ones described in the article are reasonable first steps towards global tech assimilation.