Security Experts:

Essential Weapons in a Security Researcher's Arsenal: Part 2

In my previous column I presented five commonly used weapons in arsenals of security researchers. This week, we complete the list with a mix of tools and tool types ranging from the old to the new, including tools unveiled for the first time at the recent Black Hat conference. So once again, without further ado, here are some of the tools researchers keep in their security toolbox:

(What other tools should be included on the list? Feel free to add your ideas in the comments)

Security ResearchersFor the Kid in You: A Sandbox environment

You actually got your hands on a copy of Stuxnet and you really want to check it out. Maybe a website is requesting you download a special Flash player, and you first want to ensure its legitimacy. To avoid curiosity killing the cat - or rather, your machine - download that malware into a sandbox environment.

VMWare is here to help when it comes to this. Consider the opportunity presented by having multiple servers running different operating systems that you can turn on and off at your whim. You’ve got malware that targets just a Windows NT system? Download that malicious application to a fresh Windows system. The malware corrupt some system files you say? No worries, just delete that system. You want to continue testing the malware but would like to work on the system as if certain files were never corrupted? Say no more - just revert to the state of the machine before the malware was installed.

All this can definitely be done without breaking the piggy-bank, and without a huge office space. With virtualization, all these machines actually reside as one - on your local PC. With the benefit of bullet-proof partition from one machine to another to ensure that secluded environment for your different applications.

For the Landscaper: The Google Diggity Project

This tool comes to us straight from Black Hat. Want to test whether your vulnerable systems and applications are exposed to the Internet? Google might stop you from searching. In an attempt to block attackers performing the exact same act, it has also blocked researchers from testing their systems. Luckily, Stach & Liu came along and built us The Google Hacking Diggity Project. Their tool leverages the Google API to perform Google Hacking without being blocked by Google. In addition, their tool integrates with Google Alerts and Google RSS so you can receive straight to your email account or reader news about your vulnerable systems being exposed. Researchers are left to hope that this is the tool that will at last allow them to build a landscape of their vulnerable systems.

For Q in you: The DVWS

More fresh news from Black Hat. Researchers have been complaining about the lack of proper testing environments for Web Services. Web Services define the language upon which the client and server relay information and the language most typically used is SOAP. The security of Web services is crucial, as they are integrated into the frameworks on which the Web apps are built upon. Silverlight applications for example rely on SOAP for client-server communication. If there is a vulnerability in a Web service, potentially all systems containing that service are vulnerable to an attack. What’s the new security playground for testing Web applications built on Web services? The Black Hat researchers have demonstrated that it’s their Damn Vulnerable Web Services (DVWS).

For Dr. Donald “Ducky” Mallard: v3rity

One more tool from Black Hat. This time, it is all about forensics: tools used by those researchers who enter the crime scene after the data breach has already occurred. The attacker has compromised the server and gotten away with the data, but how do you trace back to the perpetrator? Maybe the attacker left a digital footprint. What methods did the hacker use to circumnavigate her way around the organizations networks – and defenses? Maybe it was a low-privileged insider who exploited a vulnerability which allowed her to gain administrator privileges. How do you recover corrupted files? Maybe by adding two and two the original details can be restored?

When it comes to the internals of the databases, David Litchfield is the guy. With his intimate knowledge of databases, he pieces together parts of the crime scene to respond to breaches. In Black Hat he presented the community with his new database forensics tool: v3rity. This tool promises to present the researchers with the complete picture of the nefarious activities done to the database. According to the demo, it pastes together the different pieces of telltale break-in signs which can be found in the data files, redo logs, undo segments and memory. These are all Oracle concepts. What’s the tool for other databases? We’ll have to wait on that one.

The Most Important Tool of All: Brains

The first week of August in Sin City has proved just that- geeks rule. Keeping ahead of the never-ending threat landscape was never so difficult. Vulnerabilities are increasingly being published and exploits are carried out within minutes of 0-day releases. Malware writers have never been so sophisticated and they continue to evade anti-virus tools. Technologies keep changing allowing for new platforms for attack. Current security controls are being bypassed by new methods developed by hackers. Even budget-less Microsoft is taking off its glove and requesting help from the public. It takes the brainiest people to research, analyze, develop and provide the necessary security solutions. That - and keeping in mind that Google is your best friend.

Read Noa's Other Featured SecurityWeek Columns Here

As you can imagine, choosing ten tools – and categories of tools - was not so simple. Any thoughts about what other tools should be included on the list? Feel free to add your ideas to the comment section.

Next Column...

These were just ten tools out of hundreds of tools used by researchers. They focused on the security of the systems. But what about a system under attack? How can this be mitigated? Stay tuned for next column when I discuss the value of reputation-based controls.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.