UMI Cyber Security Consulting
RMF, PKI, Scanning, Cyber Security Policies
DISA STIGS:
https://public.cyber.mil/stigs/
https://www.cisa.gov/free-cybersecurity-services-and-tools
|
Service |
Skill Level |
Owner |
Description |
Link |
|
Cyber Readiness Check (CRCs) |
Basic |
Project Spectrum |
A system that requires organizations
to make an account to access the free service. This tool helps organizations
determine current level of security. |
|
|
Perception Point |
Basic |
Perception Point |
Perception Point’s Free Email
Security Plan, protects organizations from any threat entering organization
via email and other collaboration channels. The plug-n-play deployment does
not require a change to existing infrastructure. Once implemented, users can
see, within minutes, how Perception Point’s free advanced email security
catches threats. |
Free Email Security Plan - Perception Point
(perception-point.io) |
|
Semperis Purple Knight |
Basic |
Semperis |
Purple Knight queries an
organization's Active Directory environment and performs a comprehensive set
of tests against the most common and effective attack vectors to uncover
risky configurations and security vulnerabilities. Users receive prioritized,
corrective guidance including mapping of indicators of exposure to the MITRE
ATT&CK framework to close gaps before they get exploited by attackers. |
Purple
Knight | Evaluate the security of your Active Directory. (purple-knight.com) |
|
Microsoft Defender Antivirus |
Basic |
Microsoft |
This tool protects and detects endpoint
threats, including file-based and fileless malware. Built into Windows 10 and
11 and in versions of Windows Server. |
|
|
Microsoft Safety Scanner |
Basic |
Microsoft |
Microsoft Safety Scanner is a
scan tool designed to find and remove malware from Windows computers. It can
run scans to find malware and try to reverse changes made by identified
threats. |
|
|
Windows Malicious Software
Removal tool |
Basic |
Microsoft |
This tool is released by
Microsoft on a monthly cadence as part of Windows Update or as a standalone
tool. It can be used to find and remove specific prevalent threats and
reverse the changes they have made. |
|
|
MSTICpy |
Basic |
Microsoft |
MSTICPy is a SIEM-agnostic package of Python tools for security
analysts to assist in investigations and threat hunting. It is primarily
designed for use in Jupyter notebooks. |
|
|
Google Safe Browsing |
Basic |
Google |
This service identifies known
phishing and malware across the web and helps notify users and website owners
of potential harm. It is integrated into many major products and provides
tools to webmasters. |
|
|
Coalition Control Scanning |
Basic |
Coalition Control |
Coalition Control is your account
home and includes free attack surface scanning and ongoing monitoring of your
organization from the outside in. When vulnerabilities are identified, the
tool will show where they are and how to fix them. Upgraded scanning requires
users to be a Coalition insturance policyholder. |
|
|
Security Onion |
Basic |
Open Source |
Security Onion is a free and open
Linux distribution for threat hunting, enterprise security monitoring, and
log management. The easy-to-use Setup wizard allows you to build an army of
distributed sensors for your enterprise. Security Onion includes
Elasticsearch, Logstash, Kibana, Suricata, Zeek
(formerly known as Bro), Wazuh, Stenographer, CyberChef, NetworkMiner, and
many other security tools. |
|
|
Syft |
Advanced |
Anchore |
The first is Syft,
a CLI tool and Go library for generating a Software Bill of Materials
(SBOM) from container images and filesystems. It also supports CycloneDX/SPDX and JSON format. Syft
can be installed and run directly on the developer machine to generate SBOM's
against software being developed locally or can be pointed at a filesystem. |
|
|
Grype |
Advanced |
Anchore |
Grype which is an open source vulnerability scanner for
container images and filesystems that can be used to find zero day
vulnerabilities such as log4j. |
|
|
Hedgehog |
Advanced |
Malcolm |
Hedgehog Linux is a Debian-based
operating system built to monitor network interfaces, capture packets to PCAP
files, detect file transfers in network traffic and extract and scan those
files for threat, and generate and forward to Zeek
logs. |
|
|
Malcolm |
Advanced |
CISA |
Malcolm is a powerful, easily
deployable network traffic analysis tool suite for full packet capture
artifacts (PCAP files) and Zeek logs. |
|
|
ICS Network Protocol Parsers |
Advanced |
CISA |
The industrial control systems
network protocol parsers (ICSNPP) project, only compatible with Zeek, is an ongoing effort to provide open-source tools
to enable asset owners, operators, and OT security teams to achieve greater
operational network and process level visibility. |
|
|
Lumu Free |
Advanced |
Lumu Technologies |
Lumu Free offers continuous monitoring across the network by
leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations
can uncover contact with malicious infrastructure, enabling threat mitigation
and attack prevention. Malicious incidents can be labeled to ensure
prioritization according to an organization's risk tolerance. |
|
|
Mandiant Red Team and
Investigative Tools |
Advanced |
Mandiant |
These tools are designed to
confirm and investigate suspected security compromises. |
|
|
Splunk Connect for Syslog |
Advanced |
Splunk |
This tool is used for getting
syslog-based data into Splunk, including functions for data filtering and
parsing. |
|
|
Enterprise Log Search and Archive
(ELSA) |
Advanced |
Open source |
Enterprise Log Search and Archive
(ELSA) is a three-tier log receiver, archiver, indexer, and web front end for
incoming syslog. |
|
|
Mandiant Azure AD Investigator |
Advanced |
Mandiant |
This repository contains a
PowerShell module for detecting artifacts that may be indicators of UNC2452
and other threat actor activity. Some indicators are
"high-fidelity" indicators of compromise; other artifacts are
so-called "dual-use" artifacts. Dual-use artifacts may be related
to threat actor activity, but also may be related to legitimate
functionality. |
|
|
VirusTotal |
Advanced |
Google |
VirusTotal inspects items with over 70 antivirus scanners and URL/domain
blocklisting services, in addition to a variety of
tools, to extract signals from the studied content. Users can select a file
from a computer via the browser and send it to VirusTotal.
Submissions may be scripted in any programming language using the HTTP-based
public API. |
https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works |
|
Netfilter |
Advanced |
Open Source |
Netfilter is a packet filter implemented in the standard Linux kernel.
The user space iptables tool is used for configuration. It supports packet
filtering (stateless or stateful), many kinds of network address and port
translation (NAT/NAPT), and multiple API layers for third-party extensions.
It includes many different modules for handling unruly protocols, such as
FTP. |
|
|
Wireshark |
Advanced |
Open Source |
Wireshark is an open-source
multi-platform network protocol analyzer that allows users to examine data
from a live network or from a capture file on disk. The tool can interactively
browse capture data, delving down into just the level of packet detail
needed. Wireshark has multiple features, including a rich display filter
language and the ability to view the reconstructed stream of a TCP session.
It also supports hundreds of protocols and media types. |
|
|
Ettercap |
Advanced |
Open Source |
Ettercap is a suite for adversary-in-the-middle
attacks on LAN that includes sniffing of live connections, content filtering
on the fly, and many other features. It supports active and passive
dissection of many protocols (including ciphered protocols) and includes many
features for network and host analysis. |
|
|
Kismet |
Advanced |
Open Source |
Kismet is a console (ncurses)-based 802.11 layer-2 wireless network detector,
sniffer, and intrusion detection system. It identifies networks by passively
sniffing and can decloak hidden (non-beaconing) networks if they are in use.
It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and
DHCP packets, log traffic in Wireshark/tcpdump
compatible format, and even plot detected networks and estimated ranges on
downloaded maps. |
|
|
Snort |
Advanced |
Cisco |
This network intrusion detection
and prevention system conducts traffic analysis and packet logging on IP
networks. Through protocol analysis, content searching, and various
pre-processors, Snort detects thousands of worms, vulnerability exploit
attempts, port scans, and other suspicious behavior. Snort uses a flexible
rule-based language to describe traffic that it should collect or pass, and a
modular detection engine. The related free Basic Analysis and Security Engine
(BASE) is a web interface for analyzing Snort alerts. |
|
|
sqlmap |
Advanced |
Open Source |
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over of
back-end database servers. It comes with a broad range of features, from
database fingerprinting to fetching data from the DB and accessing the
underlying file system and executing OS commands via out-of-band connections. |
|
|
RITA |
Advanced |
Open Source |
Real Intelligence Threat
Analytics (R-I-T-A) is an open-source framework for detecting command and
control communication through network traffic analysis. The RITA framework
ingests Zeek logs or PCAPs converted to Zeek logs for analysis. |
|
|
Secureworks Dalton |
Advanced |
Secureworks |
Dalton is a system that allows a
user to run network packet captures against a network sensor of their choice
using defined rulesets and/or bespoke rules. Dalton covers Snort/Suricata/Zeek analysis in one system. |
|
|
Elastic SIEM |
Advanced |
Elastic |
Tool is an application that
provides security teams with visibility, threat hunting, automated detection,
and Security Operations Center (SOC) workflows. Elastic SIEM is included in
the default distribution of the most successful logging platform, Elastic
(ELK) Stack software. It ships with out-of-the-box detection rules aligned
with the MITRE ATT&CK framework to surface threats often missed by other
tools. Created, maintained, and kept up-to-date by the security experts at
Elastic, these rules automatically detect and address the latest threat
activity. Severity and risk scores associated with signals generated by the
detection rules enable analysts to rapidly triage issues and turn their
attention to the highest-risk work. |
Elastic SIEM: free and open for security analysts everywhere |
Elastic Blog |
PKI
Some CAPI calls:
The CertVerifyRevocation function checks the revocation status of the certificates contained in the rgpvContext array. If a certificate in the list is found to be revoked, no further checking is done. This array can be a chain of certificates propagating upward from an end entity to the root authority, but this nature of the list of certificates is not required or assumed.
The CertGetCertificateChain function builds a certificate chain context starting from an end certificate and going back, if possible, to a trusted root certificate. It’s syntax structure below.
BOOL WINAPI CertGetCertificateChain( _In_opt_ HCERTCHAINENGINE hChainEngine, _In_ PCCERT_CONTEXT pCertContext, _In_opt_ LPFILETIME pTime, _In_ HCERTSTORE hAdditionalStore, _In_ PCERT_CHAIN_PARA pChainPara, _In_ DWORD dwFlags, _In_ LPVOID pvReserved, _Out_ PCCERT_CHAIN_CONTEXT *ppChainContext);
The dwFlags value are
as follows:
dwFlags [in]
Flag values that indicate special processing. This parameter can be a combination of one or more of the following flags.
|
Value |
Meaning |
|
CERT_CHAIN_CACHE_END_CERT 0x00000001 |
When
this flag is set, the end certificate is cached, which might speed up the
chain-building process. By default, the end certificate is not cached, and it
would need to be verified each time a chain is built for it. |
|
CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000 |
Revocation
checking only accesses cached URLs. |
|
CERT_CHAIN_REVOCATION_CHECK_OCSP_CERT 0x04000000 |
This
flag is used internally during chain building for an online certificate status protocol (OCSP) signer certificate to
prevent cyclic revocation checks. During chain building, if the OCSP response
is signed by an independent OCSP signer, then, in addition to the original
chain build, there is a second chain built for the OCSP signer certificate
itself. This flag is used during this second chain build to inhibit a
recursive independent OCSP signer certificate. If the signer certificate
contains the szOID_PKIX_OCSP_NOCHECK
extension, revocation checking is skipped for the leaf signer certificate.
Both OCSP and CRL checking are allowed. Windows Server 2003 and
Windows XP: This value is not supported. |
|
CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL 0x00000004 |
Uses
only cached URLs in building a certificate chain. The Internet and intranet
are not searched for URL-based objects. Note This flag is not
applicable to revocation checking. Set CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY
to use only cached URLs for revocation checking. |
|
CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING 0x00000040 |
For
performance reasons, the second pass of chain building only considers
potential chain paths that have quality greater than or equal to the highest
quality determined during the first pass. The first pass only considers valid
signature, complete chain, and trusted roots to calculate chain quality. This
flag can be set to disable this optimization and consider all potential chain
paths during the second pass. |
|
CERT_CHAIN_DISABLE_MY_PEER_TRUST 0x00000800 |
This
flag is not supported. Certificates in the "My" store are never
considered for peer trust. |
|
CERT_CHAIN_ENABLE_PEER_TRUST 0x00000400 |
End
entity certificates in the "TrustedPeople"
store are trusted without performing any chain building. This function does
not set the CERT_TRUST_IS_PARTIAL_CHAIN or CERT_TRUST_IS_UNTRUSTED_ROOT
dwErrorStatus member bits of the ppChainContext parameter. Windows Server 2003 and
Windows XP: This flag is not supported. |
|
CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS 0x00000080 |
The
default is to return only the highest quality chain path. Setting this flag
will return the lower quality chains. These are returned in the cLowerQualityChainContext and rgpLowerQualityChainContext
fields of the chain context. |
|
CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE 0x00000100 |
Setting
this flag inhibits the auto update of third-party roots from the Windows
Update Web Server. |
|
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT 0x08000000 |
When
you set CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT and you also specify a
value for the dwUrlRetrievalTimeout member
of the CERT_CHAIN_PARA structure, the value you specify in
dwUrlRetrievalTimeout represents the
cumulative timeout across all revocation URL retrievals. If you
set CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT but do not specify a dwUrlRetrievalTimeout value, the maximum
cumulative timeout is set, by default, to 20 seconds. Each URL tested will
timeout after half of the remaining cumulative balance has passed. That is,
the first URL times out after 10 seconds, the second after 5 seconds, the
third after 2.5 seconds and so on until a URL succeeds, 20 seconds has
passed, or there are no more URLs to test. If you
do not set CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT, each revocation URL in
the chain is assigned a maximum timeout equal to the value specified in dwUrlRetrievalTimeout. If you do not specify a
value for the dwUrlRetrievalTimeout member,
each revocation URL is assigned a maximum default timeout of 15 seconds. If
no URL succeeds, the maximum cumulative timeout value is 15 seconds
multiplied by the number of URLs in the chain. You
can set the default values by using Group Policy. |
|
CERT_CHAIN_TIMESTAMP_TIME 0x00000200 |
When
this flag is set, pTime is used as the time
stamp time to determine whether the end certificate was time valid. Current
time can also be used to determine whether the end certificate remains time
valid. All other certification authority (CA) and root certificates in the
chain are checked by using current time and not pTime. |
You
can also set the following revocation flags, but only one flag from this group
may be set at a time.
|
Value |
Meaning |
|
CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x10000000 |
Revocation
checking is done on the end certificate and only the end certificate. |
|
CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000 |
Revocation
checking is done on all of the certificates in every chain. |
|
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000 |
Revocation
checking is done on all certificates in all of the chains except the root
certificate. |
http://www.axway.com/products-solutions/email-identity-security/identity-security/va-server