6 open source tools to defend your position


Have you ever played computer games like Halo or Gears of War? If so, you may have noticed a game mode called Capture the flag which pits two teams against each other – one being responsible for protecting the flag from opponents who try to steal it.

This type of exercise is also used by organizations to assess their ability to detect, respond to, and mitigate a cyberattack. Indeed, these simulations are essential for identifying weaknesses in organizations’ systems, people and processes before attackers take advantage of them. By mimicking realistic cyber threats, these exercises allow security practitioners to also refine incident response procedures and strengthen their defenses against evolving security challenges.

In this article we looked, in general terms, at how the two teams compete and what open source tools the defensive side can use. First of all, a very quick reminder of the roles of the two teams:

  • The red team plays the role of the attacker and uses tactics that mirror those of real-world threat actors. By identifying and exploiting vulnerabilities, bypassing the organization’s defenses and compromising its systems, this adversarial simulation provides organizations with invaluable insights into the gaps in their cyber armors.
  • The blue team, for its part, assumes the defensive role since it aims to detect and thwart opposing incursions. This involves, among others, deploying various cybersecurity tools, monitoring network traffic to detect any anomalies or suspicious patterns, reviewing logs generated by different systems and applications, monitoring and collecting data from points individual termination and rapid response to any sign of unauthorized access. or suspicious behavior.

By the way, there is also a purple team which relies on a collaborative approach and brings together offensive and defensive activities. By fostering communication and cooperation between offensive and defensive teams, this joint effort allows organizations to identify vulnerabilities, test security controls, and improve their overall security posture with an even more comprehensive and unified approach .

Coming back to the blue team, the defensive team uses a variety of open source and proprietary tools to fulfill its mission. Now let’s look at some tools from the first category.

Network Analysis Tools


Designed to efficiently manage and analyze network traffic data, Arkimé is a large-scale packet search and capture (PCAP) system. It has an intuitive web interface to browse, search and export PCAP files while its API allows you to directly download and use session data in PCAP and JSON format. In doing so, it allows data to be integrated with specialized traffic capture tools such as Wireshark during the analysis phase.

Arkime is designed to be deployed on multiple systems at once and can scale to handle tens of gigabits/second of traffic. PCAP’s handling of large amounts of data is based on the available sensor disk space and the scale of the Elasticsearch cluster. Both of these features can be extended as needed and are under the full control of the administrator.



Sniff is an open source intrusion prevention system (IPS) that monitors and analyzes network traffic to detect and prevent potential security threats. Widely used for real-time traffic analysis and packet logging, it uses a series of rules that help define malicious activities on the network and allows it to find packets that match such suspicious or malicious behavior and generates alerts for administrators.

According to its homepage, Snort has three main use cases:

  • packet tracing
  • packet logging (useful for debugging network traffic)
  • Network Intrusion Prevention System (IPS)

For detecting network intrusions and malicious activities, Snort has three sets of global rules:

  • rules for community users: those that are accessible to any user without any cost or registration.
  • rules for registered users: By registering with Snort, the user can access a set of rules optimized to identify much more specific threats.
  • Rules for Subscribers: This set of rules not only allows for more accurate threat identification and optimization, but also comes with the ability to receive threat updates.

Incident management tools

The Beehive

The Beehive is a scalable security incident response platform that provides a collaborative and customizable space for incident management, investigation and response activities. It is tightly integrated with MISP (Malware Information Sharing Platform) and facilitates the tasks of Security Operations Center (SOC), Computer Security Incident Response Team (CSIRT), Emergency Response Team (CERT) and any other security professional confronted with security incidents that must be analyzed and implemented quickly. As such, it helps organizations manage and respond to security incidents effectively.

There are three features that make it so useful:

  • Collaboration: The platform promotes real-time collaboration between analysts (SOC) and Computer Emergency Response Team (CERT). It facilitates the integration of ongoing investigations into cases, tasks and observables. Members can access relevant information and special notifications for new MISP events, alerts, email reports and SIEM integrations further enhance communication.
  • Elaboration: The tool simplifies the creation of folders and associated tasks thanks to an efficient template engine. You can customize metrics and fields through a dashboard, and the platform supports marking essential files containing malware or suspicious data.
  • Performance: Add one to thousands of observables to each case created, including the ability to import them directly from a MISP event or any alert sent to the platform, as well as customizable classification and filters.
The Beehive

Rapid response from GRR

Rapid response from GRR is an incident response framework that enables live remote forensic analysis. It remotely collects and analyzes forensic data from systems to facilitate cybersecurity investigations and incident response activities. GRR supports the collection of different types of forensic data, including file system metadata, memory contents, registry information, and other crucial artifacts for incident analysis. It is designed to handle large-scale deployments, making it particularly suitable for businesses with diverse and extensive IT infrastructures.

It consists of two parts, a client and a server.

The GRR client is deployed on the systems you want to study. On each of these systems, once deployed, the GRR client periodically polls the GRR front-end servers to check if they are working. By “working” we mean performing a specific action: downloading a file, enumerating a directory, etc.

The GRR server infrastructure consists of several components (frontends, workers, UI servers, Fleetspeak) and provides a web GUI and API endpoint that allows analysts to schedule actions on clients and display and process the collected data.


Analyze operating systems


HELP, or The Hunting ELK, is designed to provide a comprehensive environment for security professionals to conduct proactive threat hunting, analyze security events, and respond to incidents. It leverages the power of the ELK stack along with additional tools to create a versatile and extensible security analytics platform.

It combines various cybersecurity tools into a unified platform for threat hunting and security analysis. Its main components are Elasticsearch, Logstash and Kibana (ELK stack), which are widely used for log and data analysis. HELK extends the ELK stack by integrating additional security tools and data sources to enhance its threat detection and incident response capabilities.

Its focus is research, but thanks to its flexible design and core components, it can be deployed in larger environments with the appropriate configurations and scalable infrastructure.



THE Volatility framework is a collection of tools and libraries for extracting digital artifacts from, you guessed it, a system’s volatile memory (RAM). It is therefore widely used in digital forensics and incident response to analyze memory dumps of compromised systems and extract valuable information related to ongoing or past security incidents.

As it is platform independent, it supports core dumps of various operating systems including Windows, Linux, and macOS. Indeed, Volatility can also analyze memory dumps of virtualized environments, such as those created by VMware or VirtualBox, and thus provide information on the state of the physical and virtual system.

Volatility has a plugin-based architecture – it comes with a rich set of built-in plugins that cover a wide range of forensic analyses, but also allows users to extend its functionality by adding custom plugins.



So this is it. It goes without saying that blue and red team exercises are essential for assessing the readiness of an organization’s defenses and, as such, are essential for a strong and effective security strategy. The wealth of information collected throughout this exercise provides organizations with a holistic view of their security posture and allows them to evaluate the effectiveness of their security protocols.

Additionally, blue teams play a key role in cybersecurity compliance and regulation, which is especially critical in highly regulated industries, such as healthcare and finance. Blue/Red Team exercises also provide realistic training scenarios for security professionals, and this hands-on experience helps them hone their real-world incident response skills.

Which team will you join?

Leave a comment