After exploring our red team tools and phishing tools collections, it’s time to spend some time in the blue shoes. We have searched, tested and aggregated a list of the best blue team tools that will aid in many different blue team operations.
There are a few categories of tools we haven’t included in this list, as they’re similar to ones we’ve mentioned as offensive tools. In fact, many tools and methodologies can be translated from red teams to blue teams. So if you notice a lack of OSINT or social engineering tools in this blog entry, we highly recommend going through our red team toolkit.
Without further ado, let’s dive into the best blue team tools to enrich your defensive toolkit!
Best blue team tools to enrich your defensive toolkit
As always, our focus is on free, open source tools and solutions, but we’ve also mixed in a few commercial, enterprise solutions to cover various needs across different organizations.
A honeypot is a decoy computer system or application that aims to attract malicious actors who are trying to attack computer networks. Once the attacker falls into the decoy trap, the honeypot is there to allow administrators to collect valuable data on the attacker, the type of the attack, and even identify the attacker. With honeypots, blue teams are able to identify emerging threats, and generate threat intelligence which can be used to make better informed decisions on the preventative techniques the organization employs against network threats.
There are different honeypots, with different complexities:
- Pure honeypot
- High-interaction honeypot
- Medium-interaction honeypot
- Low-interaction honeypot
Additionally, we can recognize several different honeypot technologies in use, such as the SSH honeypot, HTTPS, database, server, client, malware, spam email, IoT, and others.
In the following list, we’ve included a good mix of different types of honeypots to suit different organizations’ needs. If you’d like to learn even more about honeypots and their place on the defensive side of security, we have a fully dedicated post featuring the 20 best honeypots, with a list that goes into more detail than we were able to share here.
Kippo is a well-known medium-interaction SSH honeypot written in Python. This tool is designed to detect and log brute force attacks as well as the complete shell history performed by an attacker.
Kippo offers a fake file system that can add and remove files, and among other features it can also offer fake content to attackers, engage some trickery with SSH pretending to connect somewhere, and the like. Also available is kippo_detect, which allows you to detect the presence of a kippo honeypot.
Glastopf is an HTTP-based honeypot written in Python. Glastopf has the ability of different vulnerability type emulations, with attack emulations including local and remote file inclusion, SQL injection, HTML injection via POST request, among others.
ElasticHoney is, as the name implies, a honeypot designed for this type of database: Elasticsearch. It’s a simple yet effective honeypot with the ability to capture malicious requests attempting to exploit RCE vulnerabilities in Elasticsearch. Written in GO, ElasticHoney offers binaries for most platforms, and is available for Windows and Linux.
Artillery is not just a honeypot, but a monitoring tool and alerting system as well. With Artillery, you can set up the most common and most scanned ports, and blacklist anyone who tries to connect to them.
This tool can also monitor SSH logs looking for brute force attempts, and will email you when an attack occurs. It’s available for both Windows and Linux, although some features might be unavailable for Windows users.
What happens in a sandbox, stays in a sandbox. Similar to a honeypot, a sandbox is a preventative and analysis technology used for security deception. Sandboxing allows blue teams and security researchers to run and test applications, install malware or execute potentially malicious code in an isolated environment.
Sandboxing is often performed on a dedicated virtual machine on a virtual host, and blue teams can safely test malware against multiple different OS versions, analyze the malware and even determine if their anti-malware solutions have properly flagged a malicious file, and all that on machines that are separate from the actual network.
There are numerous open source and commercial sandboxing tools available, and here we’ve highlighted our favorites among them for blue teams:
Cuckoo Sandbox is, as they claim, the leading open source automation malware analysis tool. You can feed it potentially malicious files, and get reports on how the file behaves when executed in an isolated and safe environment.
With Cuckoo you can analyze all kinds of different files, PDFs, emails, and even websites; trace API calls and behaviour of the file; and dump and analyze all network traffic, including even traffic encrypted with SSL\TLS.
Straight from CrowdStrike, we have Falcon Sandbox. Falcon Sandbox allows you to perform deep analysis of unknown threats and zero-day exploits, and provides threat intelligence and indicators of compromise, to provide actionable results that allow blue teams to better understand malware and in turn, build stronger defenses.
Firejail is a Linux SUID sandbox program written in C that helps reduce the risk of security breaches by sandboxing the running environment of untrusted applications, and allows the process and all of its descendants their private view of globally shared kernel resources. Additionally, it can sandbox servers, graphical apps and login sessions.
Valkyrie Comodo is an online file verdict system that employs numerous methods to test unknown files, to determine whether those files are malicious. One of Valkyrie’s strongest suits is detecting zero-day threats missed by traditional antivirus solutions. In order to ensure each submitted file is thoroughly analyzed, Valkyrie deploys both automatic and human analysis.
In cybersecurity it’s important to consider not ‘if’ a cyber attack will occur, but ‘when’. This is why incident response is not only an important blue team activity, but also a crucial security operation for organizations of all sizes, industries and technologies.
Incident response is the reaction to a data breach or cyber attack where the blue team identifies the threat actors, attempts to contain the security incident, eradicate it from the network, and then focus on recovering the system or network after the attack. This includes drawing conclusions and amassing knowledge that can later be used to harden the organizations’ security defenses.
Incident response prepares both team and organization for worst case scenarios and different types of cyber crime and threats, so having the right tools is key to making this process more streamlined and efficient. Here are our top picks for the best blue team incident response tools:
No list of blue team tools would be complete without this one. Forget 3-in-1, TheHive Project is here with their 4-in-1 security incident response platform that allows collaborative investigation among the team, adding hundreds of thousands of observables to each investigation that can be created from their template engine, which can also be customized. When used in conjunction with their Cortex, you’ll have the ability to analyze numerous observables at once using more than a hundred analyzers, and contain and eradicate malware or security incidents.
GRR Rapid Response
GRR Rapid Response is an incident response open source framework focused on remote live forensics. This Python client is installed on target systems, with infrastructure that can manage and talk to clients.
It was built to run at scale, so blue teams are able to collect data from a large number of machines. GRR allows support for Linux, OS X and WIndows clients, and has search and download capabilities for files and the Windows registry, among many other features.
The Mozilla Enterprise Defense Platform, better known as MozDef, will help you automate security incident response and provides a platform for blue teams to quickly and efficiently discover and respond to security incidents.
It provides metrics for security incidents, facilitates real-time collaboration in blue teams, and as they claim, goes beyond traditional SIEM solutions in automating incident response processes.
Cyphon is an open source tool that streamlines a number of incident response tasks through a unified platform. This platform receives, processes and triages security events and incidents in order to aggregate data, prioritize alerts, and provides blue teams with the ability to efficiently investigate and document those incidents.
Log management and analysis
Another important piece of the blue team methodology puzzle is log management and analysis. Data collected through different sources and tools needs to be analyzed and correlated across different technologies so any issues in application and program performances and security issues are uncovered.
With log management, blue teams collect, format, aggregate and analyze log data from different applications, services and hosts and map it back to business requirements or an organization’s strategic issues.
Log management is often the stumbling block in many organizations due to the large volume of collected logs which leads to a vast number of false positives, and they are nobody’s favorite. Not to mention that not every log needs to be collected or stored. This is why having an arsenal of tools for log management and analysis is desirable, so blue teams can easily pinpoint any security issues. The good news is, we’ve found the right tools for exactly that:
As we’ve mentioned before, Splunk is one of the best cybersecurity companies around. It offers log management services and provides software that merges and indexes any and all log and machine data. It also gives you the ability to collect, store, index, search, correlate, analyze and report on any machine-generated data to detect and fix security issues.
Log analysis by Loggly! Loggly is a cloud-based log management and analysis software that provides the ability to collect logs from your infrastructure, track their activity and analyze trends.
Loggly is easy to use, and is a managed service so it’s not only dedicated to blue teams—customer service and product management can find great use in it as well, to collect and analyze from a large number of sources and proactively monitor logs, and perform diagnostics and troubleshooting with it.
Fluentd is an open source data collector for a unified logging layer. With Fluentd you’ll be able to unify data collection and use, to enhance your understanding of data. With over 500 plugins that connect Fluentd with many sources and outputs, you’ll benefit from better informed use of your logs.
Quite well known, Sumo Logic is a log management and security analytics service. Cloud-based, it provides real-time insights by leveraging machine-generated data, similar to Splunk.
Real-time analytics help identify and resolve potential cyber attacks, and their machine-learning algorithms will alert you in case of a significant security event.
While important for both red and blue teams, adversary emulation is a defensive technique in itself.
Borrowing the “being in attackers’ shoes” methodology from red teams, blue teams use exercises and tools that simulate a sophisticated cyber attack as realistically as possible, in order to get the grasp of an organization’s attack surface and uncover any security holes and vulnerabilities in their defenses.
Performing adversary emulation provides blue teams with actionable data that helps them uncover and resolve vulnerabilities and security issues. It also allows them to assess the effectiveness of currently used security controls, solutions, and their capabilities to detect and prevent suspicious behaviour and malicious attackers. Let’s look at some of our favorite adversary simulators:
APTSimulator is, you guessed it, an adversary emulation tool, but one that is designed with simplicity in mind. Installation and getting it running takes about a minute, and anyone can read, modify and or extend it. This Windows batch script uses different tools and output files, to make a system look as if it were compromised.
Now, that’s a memorable name. The DumpsterFire is a cross-platform tool designed to build repeatable and distributed security events. Blue teams can customize event chains and simulate realistic cybersecurity scenarios to solidify their alert mapping.
Built on the MITRE ATT&CK™ framework, Caldera is an automated adversary emulation framework that allows you to easily run breach and simulation exercises, and can even help with automated incident response. While it’s often used as a red team tool, as we’ve mentioned, many offensive tools can be utilized for blue teams as well. Caldera is no exception.
Blue Team Training Toolkit
Don’t you love it when the name of a tool is so straightforward that it might not even need an explanation? We do too. But Blue Team Training Toolkit does deserve an introduction, and an explanation. BT3, as it’s commonly called, is a defensive security training software that allows you to create realistic attack scenarios with specific IoCs and evasion techniques.
With it you can create training sessions with behavioral and traffic patterns associated with malware, without actually executing real and dangerous malware.
Security Information and Event Management, or SIEM for short, is a software that provides real-time analysis of security events by collecting data from different sources and performs analysis based on a specific criteria in order to catch suspicious activity and cyber attacks.
The process of SIEM tools starts by collecting data from network devices, servers, and numerous other sources, normalizing and correlating collected data so the data can be analyzed further to uncover threats and provide organizations visibility into security incidents and breaches.
SIEM solutions and tools have been a must-have for any security ecosystem, but are often either not used correctly (teams have a hard time utilizing SIEM data for incident response) or are just too expensive. This is why we have, just as with this entire collection of best blue team tools, focused on open source SIEM solutions:
AlienVault brings us their SIEM solution, called OSSIM. One of the most commonly used open source SIEMs, OSSIM provides event collection and correlation. Some of its capabilities include asset discovery, vulnerability assessment, and intrusion detection, among others.
Elastic Stack is a group of products from Elastic that takes data from any source, and searches, analyzes, and visualizes that data in real-time. Formerly known as ELK Stack, it signifies Elasticsearch, Kibana, Beats and Logstash. They’ve described their service in a few simple words: Parse, enrich, anonymize, and more.
SIEMonster is a well-loved and affordable security monitoring software solution that is, in fact, a collection of the best open source security tools available, along with their own developments.
Judging by the creators’ claims, OSSEC is the world’s most used host intrusion detection system, or HIDS.
Open source and free, OSSEC performs log analysis, rootkit detection, Windows registry monitoring and much more. It detects and alerts on unauthorized file system modifications and malicious behavior, making it a great addition to your blue team toolkit.
Endpoint Detection and Response
Endpoint Detection and Response, or EDR for short, are tools and solutions that help blue teams and security researchers collect, document and store data coming from endpoint activities in order to uncover, analyze and mitigate threats found on said endpoints.
EDR tools are sort of the newbies in the cybersecurity toolkits of professionals. They’re often compared to advanced threat protection solutions based on their capabilities to detect and protect organizations against cyber threats that aim to penetrate endpoints and endanger the organization’s security.
Often used by SOC teams, EDR solutions are also great additions to blue team toolkits, and these are our top picks:
Ettercap is well known as an open source network security tool for man-in-the-middle attacks on LAN. Ettercap features sniffing of live connections, content filtering and supports active and passive dissection of many protocols.
Written in C, it also includes many features for network and host analysis such as filtering packets based on IP source and destination, MAC address, using ARP poisoning to sniff on a switched LAN between two hosts, and much more.
Wazuh is an open source platform for threat detection, integrity monitoring and incident response. It allows you to collect, aggregate, index and analyze data and offers intrusion detection, vulnerability detection, cloud and container security, all in one platform.
For a two-in-one product, we have EventTracker, which is both a SIEM and an EDR. EventTracker provides an adaptive security architecture that integrates prediction, protection, detection and response.
It provides all of these capabilities in one unified tool, making it cost-effective and handy for making incident response and endpoint detection and response a continuous process.
Network Security Monitoring
Network security monitoring tools monitor your network activity, traffic and devices to detect and uncover cyber threats, security vulnerabilities or simply any suspicious activity. These tools collect and analyze indicators of compromise and provide actionable data and alerts to security analysts and blue teams in order to properly respond to security incidents.
These tools help blue teams get real-time insights into activities in the network, and continuously monitor and alert before real damage occurs, giving them the ability to remediate security issues timely.
There are many different network security monitoring tools out there, with different capabilities. Here’s a mix of platforms and solutions with different functionalities:
Formerly known as Bro, Zeek is an open source network security monitoring platform that sits on a hardware, software, virtual or cloud platform and observes network traffic, interprets what it sees and creates transaction logs, file content and fully customized output, which is suitable for manual analysis.
One of the more widely used network security monitoring tools, Wireshark is a household name. Wireshark performs deep analysis of hundreds of protocols, live capture and offline analysis, VoIP analysis, and captures files compressed with gzip and decompresses them.
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others.
Real Intelligence Threat Analysis, or RITA, is an open source framework for network traffic analysis. It supports beaconing detection, DNS tunneling detection and blacklist checking.
Maltrail, a malicious traffic detection system, is an open source tool that utilizes publicly available blacklists of malicious and suspicious trails, as well as static trails compiled from various AV reports and custom user defined lists. Additionally, it uses advanced heuristic mechanisms to help identify unknown network threats.
Patience, critical thinking and creativity are the three pillars of effective threat detection, or threat hunting as it’s also called. Threat hunting is a complicated process, and with all of its technical aspects, one that can’t be easily explained. Stay tuned for an entire post dedicated to it!
We mentioned earlier that in cybersecurity, preparing for a cyber attack is the best stance possible, not pondering whether one will happen. Threat detection starts at exactly that point.
Employing both manual and automated techniques and methods, threat hunters are a valuable addition to blue teams, empowering them to uncover possible ongoing threats that have already penetrated security defenses and systems. As threat hunting is a broad topic that covers many methodologies and tools, we’ve focused on those tools that we find easy to use and integrate, to effectively aid in threat detection:
ThreatHunting is a Splunk app that contains numerous dashboards and over a hundred reports that will help you enable hunting indicators, allowing you to investigate them further.
“The pattern-matching Swiss army knife for malware researchers”, Yara is, we’d like to add, also for blue teamers. This tool will help you identify and classify malware samples, and create descriptions of malware families, with each description consisting of a set of strings and boolean expressions which determine its logic.
The Hunting ELK, or HELK for short, is an open source threat hunting platform that provides advanced analytics capabilities such as SQL declarative language, structured streaming, machine learning via Jupyter notebooks and Apache Spark over the ELK (now Elastic) Stack. This tool helps improve the testing and development of threat hunting use cases and enables data science capabilities.
A network is an attacker’s favorite and often prime target for cyber attacks. Protecting the network with advanced and managed network defense solutions is one of the first steps to take in order to harden the security defenses and posture of an organization.
There are many different tools and solutions to aid in network defense: firewalls, intrusion detection systems (IDS), web application firewalls (WAF), data loss prevention tools (DLP), application controls, spamblockers, etc.
For this list we’ve decided to focus on firewalls, system firewalls, WAFs and IDSs:
ModSecurity, or ModSec, is an open source web application firewall that offers real-time application security monitoring and access control, full HTTP traffic logging, continuous passive security assessment, web application hardening and more.
Another security platform that offers a number of different security functionalities, Wallarm is, in addition to being a WAF, able to perform application vulnerability scanning, threat verification and an application security testing. This platform also provides automated protection against the OWASP Top 10 Web Application Security Risks, application DDoS, account takeover, and other application security threats.
A network intrusion detection and prevention system, SNORT is an open source tool offering real-time traffic analysis and packet logging. SNORT is one of the more commonly used intrusion prevention systems and it offers protocol analysis, content searching and matching.
Fortinet Security Fabric
To help you cope with the growing attack surface and threats in the current threat landscape, Fortinet Security Fabric provides security-driven networking, zero-trust network access, dynamic cloud-security and AI-driven security operations. Often voted as one of the best firewall solutions out there, Fabric is a leading automated network defense platform.
A well-loved open source system firewall, pfSense is based on FreeBSD OS. Their free community edition offers not only a firewall, but also a state table, server load balancing, network address translator, a VPN, and much more.
ConfigServer Security & Firewall, or CSF, is another system firewall, or more specifically, a firewall configuration script, as well as a login/intrusion detection application for Linux servers that configures a server’s firewall to deny public access to services and only allows certain connections, such as checking emails or loading websites. This suite of scripts provides SPI iptables firewall script and a Daemon process that checks for login authentication failures that compliment the CSF.
Navigating through the many tools, solutions and resources appropriate for blue teams and their operation can get overwhelming, so we’ve compiled this list of the best blue team tools with the same goal we kept in mind while making our list of red team tools: to keep things simple. Now that we’ve provided you with a cheat sheet of the best offensive and defensive blue team security tools, solutions and frameworks available, we hope you found your favorite tools on this list, and that you’ve also discovered some new ones that will help with your security blue team needs.
But that’s not all!
SecurityTrails SurfaceBrowser™ is a perfect solution for blue teams, one that allows them to detect and prevent any security issues found in an organization’s unseen area of DNS records, domains, subdomains, IP addresses, SSL certificates and open ports.
Discover the external surface area through a unified web interface, and monitor and detect critical exposed data to strengthen security defenses. Contact us to learn more about this all-in-one threat intelligence tool today!