Building an Insider Threat Program: Some Low-Cost Tools (Part 2 of 2)
This is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use, as needed, as part of their operations. In this part, I provide examples of low-cost tools that are available in this space.
The following tools may meet one or more needs of your insider threat program. This is not a complete list of tools. CERT hasn't tested them and, as a Federally Funded Research and Development Center (FFRDC), cannot endorse or recommend them specifically, nor can CERT determine their suitability for use in your environment. I encourage you to test these tools prior to acquisition and implementation.
User Activity Monitoring (UAM)
- Open Source HIDS SECurity (OSSEC) (http://ossec.github.io/)
- Security Onion (https://securityonion.net/)
(Security Onion is a collection of tools for network traffic monitoring and logging.)
- Squid Proxy Server (http://www.squid-cache.org) and Dansguardian (http://dansguardian.org)
(Both tools can be combined to filter web content and log website visits. Dansguardian is not actively maintained.)
- Packet Capture Tools: Tcpdump (http://www.tcpdump.org/), NetworkMiner (http://www.netresec.com/?page=NetworkMiner), and Wireshark: (https://www.wireshark.org/)
Data Loss Prevention
Security Information and Event Management (SIEM) Systems
- OSSIM (https://www.alienvault.com/products/ossim)
- LOGalyze (http://www.logalyze.com/)
- Enterprise Log Search and Archive (ELSA) (https://github.com/mcholste/elsa)
- The Elastic Stack (https://www.elastic.co/)
Digital Forensics Tools
- FTK Imager (http://accessdata.com/product-download?/support/product-downloads)
- Autopsy (http://www.sleuthkit.org/autopsy/)
- Volatility (http://www.volatilityfoundation.org/)
- SANS Investigative Forensic Toolkit (http://digital-forensics.sans.org/community/downloads#locations)
- CERT Forensics Tools: ADIA (http://www.cert.org/digital-intelligence/tools/adia.cfm)
- PALADIN: (https://sumuri.com/software/paladin/)
You can see from this partial list that there are quite a few options available to help you start planning for and implementing the technical aspects of your insider threat program. There are many other tools available that aren't listed, so I encourage you to explore other options. The goal of this blog series was to provide information as a means to get started.
If you have experience with other open source or freely available tools that could be leveraged in an insider threat program, I would like to hear from you. Please get in touch with me using the links provided below.