In today’s world cyber criminals are working hard to constantly come up with new tools, techniques, and procedures to infiltrate networks, socially engineer users and employees, steal money or information, and assault various targets. As the bad guys’ methods expand, the security industry has responded to these evolving threats. There are hundreds of tools, services, and products to help organizations with teams of all sizes and budgets, to combat ongoing threats. Following a lineup of seven essential and effective tools that give Threat Detection and Response teams a powerful toolbox to fight back against cybercriminals:
1. Free Research Tools OR Paid
While the range of tools available varies widely in capability as well as pricing, not all of them cost money. Virustotal is a popular website/service that many analysts across the industry use and is free. It is an excellent resource that analysts across different types of teams can turn to for quick reference regarding many types of indicators of compromise. Because Virustotal is also a community where analysts report suspicious/malicious indicators, it contains a growing wealth of information that provides not only historical data, but current data as well.
Threat Detection teams are more frequently turning to a SIEM (security information and event management) for their network monitoring needs. A SIEM (like ArcSight, QRadar, RSA NetWitness, or Splunk) is a powerful tool that allows analysts to monitor their organization’s network traffic in real time, allowing Incident Response teams to react to incoming threats. Signatures can be created in anticipation of known threats that can instantly alert analysts to any suspicious traffic, allowing response teams to get out in front of the threat.
3. Threat Intelligence Provider
In the past, some organizations have opted to hire outside companies for their Threat Intelligence collection requirements, monitoring for ongoing and developing threats that matter to them. Social media monitoring, hacktivism campaigns, and CVE awareness are some of the few concerns an organization might have in regards to their business and brand. Some organizations, however, prefer to have internal teams focus on this task, and an excellent tool for this purpose is Recorded Future. With a team of analysts constantly updating their platform data, Recorded Future allows their customers’ analysts to access this information, while also offering analysts a suite of powerful search functionalities that provide an internal Intel team the ability to customize and automate searches.
4. Network Traffic Analysis Framework
A popular and powerful network traffic analysis framework is Bro, which is used by a wide variety of security professionals. Like Virustotal, Bro is offered free as an open source, UNIX-based network monitoring framework that can be used for detecting network intrusion, collecting network measurements, and generating an extensive set of log files that records a network’s activity in high level terms. These logs include not only a comprehensive record of every connection seen on the network, but also application layer transcripts such as all HTTP sessions and their requested URIs (Uniform Resource Identifier), key headers, MIME (Multipurpose Internet Mail Extensions) types, and server responses. Bro also provides an analysts with a scripting language similar to Python’s functionality, that allows users to customize network analysis.
Malware (of all types) is an increasing concern among organizations; it is constantly being refined, improved, and augmented. Reverse engineering malware is a process that Incident Response teams can use to identify how malicious a threat is, as well as give the team insight into how to defend against similar attacks in the future. IDA Pro is a great disassembler that explores binary programs and creates maps of a malicious file’s execution. IDA Pro is also a handy debugging tool that allows analysts the ability to go through malicious code in single steps, sometimes bypassing obfuscation, and making the code under investigation more readable.
6. Web Proxy
Another essential security tool popular with analysts is Burp, which performs security testing of web applications and websites. Burp functions as an intercepting proxy, analyzing inbound traffic in a safe environment, preventing infection when a user accidentally or inadvertently visits a website that may be hosting malicious content. Burp is also a web application scanner, which allows the automation of detection of numerous types of vulnerability. Burp essentially provides analyst a safe line of control for the inspection of traffic interacting with a network, making it tougher for threats to make their way in.
7. Cybersecurity Platform
ThreatConnect is a security platform that helps organizations of all sizes identify, manage, and block threats faster. With more than 50 industry leading product integrations, ThreatConnect provides threat detection teams the power to deploy multiple tools in one platform. And when used in conjunction with multiple tools, ThreatConnect becomes a force multiplier, making threat detection and management available in one place. As threats evolve and become more nimble, security professionals recognize the importance of sharing information about emerging threats. ThreatConnect allows users to customize and import threat data feeds to their instance, as well as the ability to join other like organizations in Communities that share similar threat data. ThreatConnect is an essential platform that allows security teams to utilize many tools and emerging data to maximum effect. Want to see how ThreatConnect ties all of your threat intel tools together? Get a walkthrough of the platform to see how ThreatConnect can help your organization Contact firstname.lastname@example.org for more information.