8 Top Defensive Security Tools To Install in Linux

Many a time, we have come across several blogs that claim Linux to be impenetrable by attackers. This is true as GNU/Linux Operating systems for servers and desktops come with a number of tools that help mitigate attacks. The big issue is that the protection is not enabled by default. Your cybersecurity largely depends on the configured tools to check vulnerabilities, malware and viruses, and then prevent them as set.

In this blog, we will discuss the 8 top Defensive Security Tools To Install in Linux. Defensive security can be defined as a subset of cybersecurity that focuses on prevention, detection and response to attacks while defending the organization. This safeguarding ranges from the network analysis to designing a security plan aimed at ensuring the effectiveness of the integrated security controls.

The main tasks involved in defensive security are:

• System configurations while prioritizing security with efforts to prevent intrusions
• Constant system monitoring to watch out for attacks.
• Security measures to reduce the effect of breaches and be able to restore systems after the breach.
• Track the origin of malware, ransomware, and other breaches
• Combine physical, digital, and procedural security practices to mitigate risks

Below are the 8 top defensive security tools to install in Linux.

1. Elasticsearch SIEM

SIEM is an abbreviation for Security Information and Event Management. It is used to collect host and network-related logs and events then normalize the data to be analyzed further as alerts, reports, searches etc. SIEM can be used as a central dashboard for security teams to perform their day-to-day tasks.

SIEM requires several Elastic Stack components that include:

• Elastic Endpoint Security: This is the endpoint security platform responsible for providing prevention, detection, and response capabilities. The events and security alerts are shipped straight to Elasticsearch.
• Beats: They are shippers installed on the agent systems, they are responsible for sending the security events and other data to Elasticsearch.
• Elasticsearch: This tool provides a real-time, distributed storage, search, and analytics engine. It indexes the streams of the logs, metrics and semi-structured data.
• Kibana: This provides a platform to visualize the data stored in Elasticsearch.

With the Elasticsearch SIEM, users benefit with:

• Holistic visibility: It offers a centralized location to monitor and analyze different actions within their environment.
• Automated threat detection: This tool allows security teams to automate threat detection and act in real time based on the data collected.
• Risk management: It enabled teams to obtain threats using the prebuilt machine learning jobs.

2. Cyberchef

Cyberchef is a simple tool that provides an intuitive web interface to perform desired cyber operations. The operations range from simple encodings like XOR and Base64 to more complex encryption such as AES, DES and Blowfish. You can also create binary and hex dumps, perform data compression and decompression, calculate hashes and checksums, change character encodings, IPv6 and X.509 parsing, etc.

The tool is created to help technical and non-technical professionals manipulate data in complex ways without any deep technical background knowledge required.

Cyberchef is made up of these 4 main areas:

• Input box: This is at the top right where you input the text or file you want to operate on
• Output box: situated at the bottom right where the output of your process is printed.
• Operations list: located on the far left to help you find all the operations that can be performed by CyberChef.
• Recipe area: This is in the middle, this is where you drag the operations and specify the arguments and options desired.

3. GVM vulnerability scanner

Vulnerability scanners are vital when safeguarding against threats that pass through the firewall. They pick them up and alert/mitigate the risk before they infect or destroy your networks. The most common vulnerability scanners are QualysGuard, Nessus etc

OpenVAS renamed Greenbone Vulnerability Management(GVM) is one of the commonly used vulnerability scanners. This fully-featured vulnerability scanner exists as one of the components of the large Greenbone Security Manager” (GSM).

This tool was first implemented in 2009 and has been developed by a commercial/open-source company over the years to become so robust. Here are some of the positives of GVM:

• Has been in existence since 2009 with continued daily updates and over 50,000 vulnerability tests
• It is supported by an enterprise software security company
• It is able to perform several types of authenticated/unauthenticated tests
• It supports a number of both low and high-level internet and industrial protocols
• Users are able to implement custom tests using the internal programming language

This tool can be used by DevOps and security teams most preferably those in the “blue team” environment. Pentesters can also use this tool when handling bug bounties.

To install Greenbone Vulnerability Management, follow the below link:

• How to install Greenbone Vulnerability Management

4. Arkime full packet capture

Are you looking for security infrastructure to store and index your network traffic in standard PCAP format? Then Arkime full packet capture is the tool to go for. This tool however is not meant to replace Intrusion Detection Systems (IDS) but instead improves visibility.

There are many features associated with Arkime. Some of them include:

• Security: It is protected by HTTPS with digest passwords or authentication-providing web server proxy. The PCAPs are saved on the Arkime sensors and are only available via the web interface or API.
• Scalability: It can be deployed across clustered systems to provide the ability to scale and handle large bits of traffic per second.
• Interface: It provides a web interface from which you can perform browsing, searching, analysis, and PCAP carving for exporting. All the packets are stored and exported in standard PCAP format. This allows users to use their favourite PCAP ingestion tools during analysis.
• APIs: Exosed APIs allow PCAP and JSON-formatted session data to be accessed and downloaded directly.

5. TheHive incident response platform

This is a free and open-source tool designed to make it simple for SOCs, CSIRTs, CERTs and any information security practitioners to handle security tasks that need analysis and immediate remediations. This Security Incident Response Platform tool serves as the best companion to MISP. It can be synchronized with one or multiple MISP instances and start investigations from the MISP events. It is also possible to export the results as MISP events to help the team detect and react to attacks that you have already handled. TheHive can also be used with Cortex, to help security analysts and researchers analyze innumerable observables.

The main features associated with the TheHive are:

• Multi-tenancy: It comes with multi-tenancy support which allows:
  • The use of a siloed multi-tenancy: This allows many organizations to be defined without allowing them to share data
  • Use a collaborative multi-tenancy: ALlows the organizations to collaborate on specific cases, tasks, and observables, using custom-defined user profiles (RBAC).
• RBAC: This enables organizations to have granular permissions for different profiles. The available roles include admin, org-admin, analyst, read-only.
• Authentication: It supports a number of authentications that include LDAP, Active Directory, local accounts, Basic Auth, API keys, OAUTH2 and Multi-Factor Authentication.
• Statistics & Dashboards: It comes with a powerful statistics module to help users create meaningful dashboards to drive their activity and support your budget requests.
• Integrations: It supports a number of integrations, among them is MISP, Cortex, Digital Shadows, Zerofox etc.

6. Malcolm

Malcom is a tool that processes network traffic data in the form of packet capture (PCAP) files or Zeek logs. Below is a diagram demonstrating the Malcolm architecture;

A sensor or packet capture appliance is responsible for network monitoring over a SPAN port on a network device such as a switch or router, or by using a network TAP device. The Zeek logs and the Arkime sessions containing the required data are generated then securely sent to Malcolm. The full PCAP files are saved locally on the sensor device and can be used later to analysis.

Malcom then parses the network data with mappings and lookups such as hardware manufacturer from the oganizationally unique identifiers (docs/OUI) in MAC addresses, GeoIP mapping etc. This data is then stored in OpenSearch document format which can be analyzed through the OpenSearch Dashboards or Arkime.

Below is an illustration of how Malcome can be set up:

7. Suricata IDS

Suricata is an open-source intrusion and threat detection tool known for its high performance. This tool is used by many organizations both public and private to protect assets. This tool was developed in 2009 by the Open Information Security Foundation (OISF). It is able to identify and stop attacks by using intrusion prevention (IPS), network security monitoring (NSM) PCAP processing, and intrusion detection (IDS) altogether.

Below is the image of a free Suricata app in the Splunk store developed by Eric Leblond at Stamus Networks:

The cool features associated with Suricata IDS are:

• Integration: Suricata can be integrated with numerous respected commercial and open-source solutions within your environment. These tools include Elasticsearch/Logstash, Kibana, Splunk
• High Performance: This is what Suricata is known for. It is capable of inspecting multi-gigabit traffic since its engine is based on a multi-threaded, modern, clean and highly scalable code base.
• Automatic Protocol Detection: t automatically detects the protocol used on any port and then applies the required detection and logging logic. This largely helps find the associated malware and CnC channels
• Lua Scripting language: This can be used to modify the outputs and create complex and detailed signature logic
• Industry Standard Outputs: The main logging output is called “Eve” for all JSON event and alert outputs. This makes it easy to integrate SUricata with Logstash and other similar tools.

To install Suricata, follow the below link:

• How to install Suricata IDS

8. Zeek IDS

Zeek is an open-source network traffic analyzer used by many organizations to support investigations of suspicious or malicious activity. This tool also supports several other traffic analysis tasks that include performance measurement and troubleshooting.

Zeek users benefit a lot from the wide set of logs that describe the network activities. The logs include the comprehensive record of every connection seen on the network and all the application-layer transcripts. These include the HTTP sessions with the requested URIs, DNS requests, SSL certificates, MIME types etc. Zeek writes all the information collected in JSON log files which can be processed by external tools. The users can also use external databases or SIEM tools to store, analyze and visualize the data.

Zeeks mainly finds use in the following areas:

• Anomaly Detection: It is used to investigate and tell if it is an anomaly or a malicious threat to your infrastructure and act accordingly.
• Correlated Vulnerability Management Data: It helps you get a full understanding of what you are attempting to mitigate.
• Interconnected Hybrid Network Visibility: It is possible to use standalone monitoring tools to gain visibility into locally or globally distributed network segments.
• Encrypted Traffic Investigation: It can be used to provide insights into events that enable response with encrypted protocols such as SSH, SSL, SMTP/TLS.

All in all, Zeeks provides several advantages for security and network teams who seek to understand their infrastructure operations.

Verdict

That is the end of this detailed guide on the 8 top defensive security tools to install in Linux. There are many other tools that have not been captured here. Please feel free to choose the one that best works for you.

See more:

• Faraday – Penetration Testing IDE & Vulnerability Management Platform
• Vuls – Best Vulnerability Scanner for Linux / FreeBSD / WordPress / Network
• How Evolving Email Security Practices Have Influenced Modern Cybersecurity
• Pull and Analyze website information using Web-Check