Drop #156 (2022-12-15): Twelve Days of [Quick] Drops • Day 04
Fleet; Wazuh; Arkime
On The Fourth Day Of Quick Drops 🎅🏽hrbrmstr🎅🏽 Gave To Me…
🎶 Froody Cyber Tools 🎶
(If this is your first Xmas Quick Drop, head back to Day 01 to find out what's going on.)
Had a tad more time yesterday for a longer drop, but we're back on the original plan.
Most days, I live in “R” and “cyber”. As a result, I tend to err on the side of not mentioning either in those drops for fear this newsletter will decay into just covering those comfort zones. I'll attempt to do a better job weaving in a bit more of those topics in `23. (Oh, yeah, the year's almost over folks),
We'll kick-start that today with three open-source cyber tools (“ecosystems” or “platforms” might be a better term) you may not be aware of.
NOTE: don't click away just yet (cybersecurity has a way of scaring/boring folks away)! You could save many 💰 with two of these resources (i.e., not pay a vendor for something you can deploy on your own), and the third might just turn you in to a hardcore packet nerd.
Fleet [GH] is “the lightweight, programmable telemetry platform for servers and workstations. Get comprehensive, customizable data from all your devices and operating systems — without the downtime risk.”
So. Many. Fancy. Words.
TL;DR: Fleet uses osquery to stream accurate, real-time data from all your endpoints. You can't manage what you can't measure, and most endpoints are opaque, disheveled messes, and that's one of the biggest problems in cybersecurity today.
Fleet enables you to:
Collect and send accurate security events to any external SIEM or data platform — like the one in the next section!
Enroll computers, update policies, and scan vulnerabilities in a CI/CD workflow.
Ask your devices anything, using the Fleet GUI, command line, or REST API.
You can do quite a bit with vanilla osquery, but Fleet adds some serious magic that you have to try out to truly appreciate.
(Very light, almost imperceptible apologies in advance to any former colleagues who are annoyed with me after this section.)
One thing you can count on in 2023 is that either some self-aggrandizing, giant analyst firm, or some desperate cybersecurity vendor will add or substitute a letter to what is now referred to as “XDR” (eXtended Detection and Response).
This section is suggesting you not shell out any coin for any*DR/SIEM.
Setup Fleet (previous section) on your endpoints (mebbe add Velociraptor into the mix), layer in runZero, then feed all the ensuing data streams into Wazuh, and give your security team(s) some serious superpowers.
When you're ready to level up from endpoint event and metadata collection to capturing and spelunking network data, head on over to Arkime [GH], an “open source, large scale, full packet capturing, indexing, and database system.” Think “Wireshark”, but for your entire network.
It has three components:
Capture—A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets, and sends metadata (SPI data) to Elasticsearch.
Viewer—A node.js application that runs per capture machine. It handles the web interface and transfer of PCAP files.
Elasticsearch—The search database technology powering Arkime.
It can scale to handle tens of gigabits/sec of traffic, has full data retention policies based on available sensor disk space, and metadata retention is based on the Elasticsearch cluster scale. Meaning, you control the horizontal and vertical, and can keep costs at bay whilst gaining some much-needed visibility.
You really have to try it out to fully appreciate it.
#protip: sometimes life on the bleeding edge is painful. Whatever Microsoft did to today's VS Code Insider Edition daily update really messed with the speed/UX of smooth typing/cursoring. Perhaps still to the slow update channel. ☮