There are a lot of useful open source infosec tools for tasks like network administration, malware analysis, forensics and incident response. Sometimes analysis is done by dedicated cyber security analysts, but often one needs to use these tools only occasionally. How to serve occasional users whose profession is not cyber security per se, but who have to deal with these issues on the side of their real jobs? It has been a very real and inspirational pain point that we have identified in a multi-national CS-AWARE (a cybersecurity situational awareness and information sharing solution for local public administrations) EU project. Fortunately we have had the opportunity to leverage our work with professional analysts from the Finnish National Cyber Security Center (NCSC-FI) in the common European framework project called CinCan. Our goal has been to make using security tools easy.

All these tools come with a set of different system requirements, for example different Python versions or other dependencies. Installation procedures also differ from tool to tool. This means that preparing a set of tools for a task may be very laborious and time-consuming. The problem can be solved by virtualization, either as of virtual machines or containers.

Infosec-specific distributions

There are a few specialized OS images which come with a set of open source infosec tools pre-installed. The distributions have a different focus, so the set of tools varies. Examples of the distributions are Kali (https://www.kali.org/) and BlackArch (https://blackarch.org) based on Linux and FlareVM (https://github.com/fireeye/flare-vm) virtual image for Windows.

The downside of these approaches is that they force you to use the specific OS distribution, which may not be what you would like to use. When you only want to pick specific tools while keep using your favorite flavor of OS you can turn into containers.

Containers

Containers, often Docker containers, provide for more lightweight virtualization than virtual OS images. Containers are usually a way to run services in an isolated manner, but it is possible to use them also to run tools, like open source infosec tools.

You can solve the conflicting dependencies of different tools by running each of them in a different container. Creating containerized applications is often easy, but sometimes it may take significant effort. Fortunately some tools are already packaged into a container, either by their authors or by other individuals. There are also some projects which have created a set of tool containers such as containers with REMnux Linux (https://remnux.org/) and CinCan project (https://cincan.io/). I am involved with the latter project.

A problem with running a command-line tool from a container is that the tool input files must also be in the container and output files are written to the container. The problem is usually solved by mounting directories into the container which is cumbersome and somewhat breaks the isolation offered by the container system. In our team we have created the ‘cincan’ command which tries to solve the problem by moving files in and out of the container so that running a tool in the container is close to the original “tool command line experience”. The ‘cincan’ command also allows listing and seamless downloading of the infosec tool Docker images we have prepared. The command is available in The Python Package Index ( https://pypi.org/project/cincan-command/ ).

Closing words

Getting an infosec tool running is often challenging. When using open source infosec tools it is worth looking at virtualization as a way to solve the conflicting tools problem. OS images provide a whole tool environment while containers allow you to pick and choose the tools into your favorite environment. There are tools to help you, so use them!

Rauli Kaksonen