On this page we feature software components that partners of the COSSAS initiative have released through their own GitHub repositories. These components align well with the automation objectives expressed in our mission and some have a direct link with software components that we have released ourselves.
ACT is a graph based Threat Intelligence Platform that enables the collection, analysis and sharing of threat intelligence. It is the result of the Semi-Automated Cyber Threat Intelligence (ACT) project, a mnemonic-led joint research effort together with the University of Oslo, NTNU, Norwegian Security Authority (NSM), KraftCERT and Nordic Financial CERT.
The Adversary Emulation Planner (AEP) can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage. The output is a set of attack stages that show all possible techniques that an adversary might execute during each stage. To decide when the different techniques are to be found in such a set, promises are used as access tokens for the execution of techniques. Each technique defines the set of promises required to execute it (pre-conditions) and the set of promises it provides upon execution (post-conditions).The AEP software was developed in the pan-European SOCCRATES innovation project (EU Horizon 2020 program).
CACAO Roaster is a community-driven web application that can be used to generate, modify, verify and sign CACAOv2 security playbooks in a “no-code” graphical manner. It is fully compliant with the CACAO v2 CS01 specification, which was developed by OASIS Open as a common machine-readable framework for orchestrating and automating cybersecurity course-of-action playbooks.
Cerebrate is an open-source platform meant to act as a trusted contact information provider and interconnection orchestrator for other security tools (such as MISP and other open source security tools).
A large-scale distributed sensor network to monitor DDoS and other malicious activities relying on an open and collaborative project. D4 project is set of open source components to build your own sensor network from scratch including the sensors up to the analysis.
Dissect is a framework consisting of several Python libraries and tools to facilitate enterprise-scale incident response and forensics. It supports the analyst from the moment of acquisition of artifacts, to normalization, processing and analysis. Dissect frees you from limitations by data formats and platforms and takes away concerns about how to access your investigation data. Analysts can focus on performing analysis, developing analysis plugins or performing innovative research. The flexibility of Dissect also means that it can be used beyond incident response and forensics of classic computer systems. Anything that has a filesystem, such as phone backups or embedded device firmware, can be a target for analysis and workflow automation.
LookyLoo is a Web interface allowing to scrape a website and then displays a tree of domains calling each other. LookyLoo can perform web forensic analysis while providing an integration with other open source tools such as MISP.
Open Source Threat Intelligence Sharing Platform & Open Standards For Threat Information Sharing. MISP is a complete open source solution to handle intelligence (from cyber security, threat intelligence, fraud to counter-terrorism) from its collection, storing, visualisation to sharing and collaboration.
Pandora is an analysis framework to discover if a file is suspicious and conveniently show the results. It’s a flexible and open source framework to integrate external tools for checking files. Report and analysis can be shared with MISP.