November 3rd, 2022
LimaCharlie's integrations with open source cybersecurity tools
At LimaCharlie, we believe that open-source tools have a crucial role to play in the security industry.
This conviction stems, in part, from our company history: LimaCharlie started out as an open-source endpoint detection and response (EDR) project. But beyond that, we think that the future of cybersecurity will be marked by the values of open-source tech; by a trend towards greater openness and transparency. This is what lies behind our unique approach to cybersecurity: an infrastructure-first, engineering-centric model that we call security infrastructure as a service (SIaaS).
In this post, we’re going to talk about how LimaCharlie integrates with a number of open-source cybersecurity tools—and how these tools can be used in combination with a SIaaS approach to help security companies grow and thrive.
Public directories for open-source tools
There are a lot of resources out there for anybody who wants to take advantage of them. Open-source cybersecurity tools can be used to create a solid security posture and can be a great way to learn the primitives of security. There are hundreds, if not thousands, of cybersecurity-focused open-source tools.The following is a list of curated open-source project directories from various sources.
LimaCharlie’s integrations with open-source tools
At present, LimaCharlie offers a catalog of 100+ cybersecurity capabilities. Integrations with open-source tools play an important part in this growing security ecosystem. Here are a few of the most important open-source tools supported by our platform—as well as some thoughts on how they work well with an SIaaS approach:
Velociraptor is an open-source endpoint monitoring and digital forensics and incident response (DFIR) platform. It can be used for a number of common DFIR tasks:
Digital forensics work to reconstruct attacker activity and incident timelines
Investigating suspicious network or user activity
Determining the extent of a breach and/or whether exfiltration has occurred
Velociraptor is built around the Velociraptor Query Language (VQL)— a query language purpose built for DFIR work. VQL is designed to handle the detection of indicators or compromise (IOCs) at scale and simplify remediation.
VQL generates what its developers call “Artifacts.” These are YAML text files used to deploy powerful custom VQL scripts for DFIR work.
Using LimaCharlie, Velociraptor Artifacts can be deployed and run as a service on as many endpoints as needed—quickly, at scale, and through a single platform.
Using an open-source tool like Velociraptor in combination with LimaCharlie’s SIaaS model gives DFIR firms a powerful competitive advantage, because SIaaS handles the pricing and delivery of cybersecurity tools and infrastructure in much the way that AWS or Azure does with web infrastructure.
This means that DFIR teams are able to land in an incident response scenario and have full visibility across a fleet of endpoints in just minutes—all at a predictable price and without having to go through vendor sales teams or other organizational gatekeepers.
And for DFIR companies wanting to expand and offer managed detection and response (MDR) services to their clients, this kind of rapid response capability means that they can offer service-level agreements of around 20 minutes.
YARA, Sigma, and Zeek
YARA, Sigma, and Zeek are important open-source cybersecurity technologies. For anyone who is new to these tools, a very brief introduction:
YARA uses rule-based pattern matching to detect malicious files
Sigma enables rule-based detection of IoCs in log files
Zeek is an open-source tool for analyzing network activity
Together, YARA, Sigma, and Zeek can be leveraged to build a fairly comprehensive endpoint monitoring and detection capability. The fact that this can be done with open-source tools is obviously very helpful to managed security service providers (MSSPs) that want to develop service offerings with good margins and competitive pricing.
But using these tools takes some manual work in order to configure and deploy them effectively. This creates challenges when attempting to do security at scale, or when time and/or developer resources are limited.
The SIaaS model, however, is cloud-first and DevOps oriented, which makes it easier for security teams to use these tools efficiently and in a way that scales. LimaCharlie offers integrations for YARA, Sigma, and Zeek, which means users can:
Automate detection, alerting, and response without needing to perform heavy manual configuration
View and correlate telemetry from open-source tools in a unified data format and via a single pane of glass
Roll out new detections at scale with a few clicks and, longer term, implement advanced cybersecurity disciplines such as detection engineering
To learn more about how LimaCharlie integrates with YARA, Sigma, and Zeek, see the following resources:
AlienVault OTX and MISP lists
They’re an excellent way for the cybersecurity community to share information about specific threats and threat actor activity. With OTX and MISP, individual security practitioners have access to timely information about emerging threats and an extensive database of IoCs to help with detection and response.
In LimaCharlie, users can subscribe to relevant OTX and MISP feeds as needed and import them into the LimaCharlie cloud in order to incorporate open-source intelligence into their security stack.
The ability to access open-source threat intelligence with a click is particularly helpful for security firms that want to leverage the flexibility and customizability of an SIaaS platform like LimaCharlie in order to expand. For example, if a company is pivoting into a new market — or simply onboarding a new client that operates in a relatively unfamiliar industry — resources like OTX and MISP make it possible for them to lean on the knowledge and experience of the security community as a whole in order to provide coverage against likely threats.
For more information and an example of how this works in practice, see:
Atomic Red Team
Atomic Red Team is an open-source library of automated tests that can be used to evaluate an organization’s security posture in an objective, reproducible way. Mapped to the MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, Atomic Red Team is an important tool for security teams committed to provable security—one of the hallmarks of the emerging engineering approach to cybersecurity.
When cybersecurity professionals are working on an SIaaS platform like LimaCharlie, Atomic Red Team tests can be run on any or all endpoints with just a few clicks or automated completely. This means less time spent setting up and running tests; finer-grained control over what tests are run and how; and better, more comprehensive coverage.
To learn more about how Atomic Red Team is used with LimaCharlie, and what we envision for the future of security testing automation, see:
How LimaCharlie supports open-source cybersecurity
Open-source cybersecurity tools add tremendous value to the LimaCharlie platform — and the open-source ethos is representative of the path we’d like to see the security industry take in the future.
Phishing Database, an open-source repository of phishing domains, URLs, and threats updated on the hour
The Ultimate Nginx Bad Bot Blocker, an open-source tool for website owners designed to block malicious bots and user-agents, spam referrers and adware, ransomware and more
IntelOwl, an open-source tool that lets users get threat intelligence about a file, IP address, or domain from multiple sources via a single API
In addition to direct support for open-source projects, we also offer a full-featured free tier of LimaCharlie to help students, researchers, and security professionals who would like to learn more about security infrastructure as a service.