Last year, we wrote about a novel security tool that Cybera’s security team had made open source. The “plaintext password sniffer,” or SniffPass, was first developed by the University of Alberta’s security team to detect and secure their institution against phishing attempts or insecure online passwords.
Cybera’s security analyst made SniffPass available in Zeek, a popular open source network security monitoring tool that is free and easy to use. Since then, we have learned about several projects within Canada and around the world that have begun to use SniffPass. One of these projects is called Malcolm. Developed by Seth Grover at the Idaho National Laboratory, in support of the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Malcolm is simplifying security rollouts for public industry projects.
In this post, we talked to Seth about the Malcolm project, and the benefits of open source security tools.
What issue is the Malcolm project looking to solve?
As with many other rural-based organizations, the US has had some smaller government infrastructure agencies that have experienced problems with staffing, particularly with cybersecurity. This is especially true if the job requires the staff member to move to a rural location.
We were asked to create something that would give people who are monitoring infrastructure, such as dams, a low barrier of entry to gain more visibility into their networks. Ideally, this would be something quick and easy to set up and manage, and they wouldn’t need to be super experienced to use it.
Budgeting is also important, as most of the organizations we’re dealing with can’t afford the top-of-the-line SIEM solutions.
We developed Malcolm to serve IT and OT (operational technology) projects, like industrial control systems.
How does Malcolm address this issue?
The idea behind Malcolm was to pull well-known, industry standard tools into a “tool suite,” and integrate them in such a way that it’s not difficult to get set up. We focused on open source tools that could be set up in such a way that the end user would not have a steep learning curve to implement them.
Some of the tools we included were Arkime (a full packet capture analysis engine), CyberChef (a simple, intuitive web app for carrying out encryption, encoding, compression and data analysis within a web browser), and Zeek, a fantastic network analysis engine.
All require some background experience and command line knowledge to set up, so the goal with Malcolm is to have these tools set up and ready for a non-technical person to deploy.
While SniffPass is just one cog in this big machine we’re putting together, it does provide a great deal of value, given the major vulnerabilities it is able to detect.
As well as tools, Malcolm also includes a list of network protocols that we’ve gained insights on, from the most common ones (FTP, HTTP, e.g.), to ones that aren’t as well known, like the ICS protocols.
So, how does Malcolm work once it’s been set up?
Malcolm focuses on common vulnerabilities, like the Microsoft Printspooler. When its plugin triggers, a red flag is raised in the dashboard, which guides the end user to where they should investigate.
So they go from “I don’t know what to look at in my network,” to a suite of tools that highlights specific threats and issues. The information Malcolm provides includes the source and destination server of the issue, what files were downloaded, whether the authentication failed, whether it was internal or external, etc.
The organization running the tools will ultimately determine how to respond to the event, Malcolm just provides context. But this is already much easier than trying to do it the old fashioned way, which would have required opening up tools and trying to capture an issue as it’s happening live. Here, issues are captured and indexed. This is great for someone who is not a network forensics expert.
What kinds of organizations is it geared towards?
Malcolm is still a relatively new project, and has only been on GitHub for two years. But it’s started to pick up a lot of attention in the last six months or so.
We’ve received interest from small-to-medium sized companies that don’t have a lot of money or people power, but need to monitor infrastructure. And because it has an OT focus, we’ve also gotten some interest from municipalities and utilities, such as gas refineries or water treatment plants.
We’ve also had larger organizations, including a federal German agency, who are incorporating Malcolm as part of a new initiative. So it’s been exciting to see the pickup from smaller mom and pop facilities, to global federal agencies.
Why is using open source tools so important?
I’m a huge open source proponent. I think it’s the best way forward for security professionals. We’re so outnumbered by the “bad guys,” who only have to get it right once. We have to get it right all the time.
By sharing information, source code, tools, it gives us more leverage to protect ourselves. If everyone plays their defense cards close to their chest, it may benefit them, but it weakens the security standpoint of so many others, including national or state security.
You can also check out the series of video tutorials on using Malcolm here.