Two ANZ Bank cyber security analysts have released as open source a custom-built tool designed to allow infosec professionals to conduct incident response data analysis at scale.
Over the weekend, ANZ security analysts Daniel Eden and Roshan Maskey published the details of their NightHawk forensic data analysis platform to open source code repository Github.
The application, custom built by the pair, allows for "asynchronous forensic data presentation" on an ElasticSearch backend.
"This application is designed to ingest a Mandiant Redline "collections" file and give flexibility in search/stack and tagging," Eden wrote. Mandiant's free Redline tool is used to investigate system memory and files to discover malicious activity.
The pair decided to create the application after finding they were unable to control hundreds of investigations or endpoints in a single pane of glass (one management console).
They built the "fully-fledged Gopher application" to provide a single view of endpoint forensics for multiple audit types, as well as other features like global search, and bundled it into an ISO disk image for others to easily deploy.
Eden and Maskey recommended those using the tool set up ElasticSearch as dual nodes, with one quarter of the system memory allocated per node, leaving 1GB of RAM for the system to operate on.
They suggested a minimum of 20GB of disk to make sure the system can handle ingesting many, and large, audit collections.
The pair said they had been able to run the application smoothly in development on a single processor Ubuntu virtual machine with 2 GB RAM, with 3 ElasticSearch nodes, on a MacBook Pro.
This setup was capable of ingesting about 50 endpoints, or four million documents, they said.
"If going into production, running a setup with 64/128 GB RAM and SAS storage, you would be able to maintain a lightning fast response time on document retrieval whilst having many analysts working on the application at once," Eden wrote.
ANZ Bank also recently pledged to open source a modelling language it created to cut the process headaches out of documenting its IT systems architecture.
The Python-based Sysl tool provides developers a standard approach to visualising the design of a system, and has cut down their mapping time from weeks to minutes.
