Download HECTOR from https://sites.sas.upenn.edu/sites/default/files/hector-1.0-beta.tar.gz
MD5 SUM - 94b1b5d754568bfae6b54fc5792c735b hector-1.0-beta.tar.gz
Slides from April 16th Philadelphia OWASP presenation on HECTOR: https://sites.sas.upenn.edu/kleinkeane/files/owasp-philly-april2012-hect...
Built on open source technology
CoSign integrated authentication available
Pluggable scan script architecture makes HECTOR extensible
Scales easily to 10,000+ hosts and millions of records
Searchable database of security intelligence
In the practice of information security, security intelligence is an operation analogous to business intelligence. Business intelligence “mainly refers to computer-based techniques used in identifying, extracting, and analyzing business data, such as sales revenue by products and/or departments, or by associated costs and income.” (Wikipedia.org) Security intelligence is the application of these principles to security related data, which is becoming more prolific and available. System event logs, firewall data, networking data, intrusion detection events, and vulnerability reports are all part of the traditional milieu of security data. There are also non-traditional data sources, such as Common Vulnerability Enumerations (CVE), vulnerability announcements, chatter on security mailing lists, trends in darknet data, and malware captures, that can also be applied to the corpus of security data. Aggregating this data is challenging in and of itself, but analysis of this vast array of data becomes extremely valuable, and equally difficult.
HECTOR began as an asset management tool, but was always destined to become a security intelligence and analysis platform. Early development showed the potential for deeper insights through the aggregation of data sources into a single repository. Development has slowly moved toward this goal over the past year.
HECTOR was developed for the School of Arts & Sciences (SAS) in the University of Pennsylvania. HECTOR is intended to be open source, extensible, and customizable to suit a wide variety of needs and environments. Much of the development of HECTOR was driven by the specific operational realities of the information security program in SAS which explains many of the idiosyncratic approaches. For instance, in the University of Pennsylvania a single networking group controls the University networks and therefore security staff within SAS do not have access to taps, span ports, or other mechanisms to view networking data. This forced the development of HECTOR towards client side, or passive information gathering techniques.
HECTOR is designed to fit dynamic array of use cases, but one of the driving operational scenarios has been proactive vulnerability remediation. HECTOR is designed to allow an analyst to spot trends in darknet scanning activity, correlate that activity with known (or unknown) vulnerabilities, cross reference that data with the asset inventory information to quickly identify at-risk assets in the organization and follow up with support providers to mitigate the risk to these assets. For instance, in Spring of 2012 a Microsoft Remote Desktop Protocol (RDP) vulnerability was identified and made public through a variety of open source channels. HECTOR quickly highlighted a rise in scans for port 3389 (the default RDP port). Using HECTOR asset data based on port scans made it possible for a single point in time query to identify all machines with open port 3389 in the environment. These machines were then tested using newly available vulnerability scans. Contact information for vulnerable machines was queried from the HECTOR database and remediation was initiated using the organizations existing ticketing system, all in under 24 hours.
In addition to data about internal assets, HECTOR is also able to collect information about attackers. Logs of malicious activity can be generated from a number of sources, and collecting this data in HECTOR allows investigators to piece together activity across hosts and across an environment over time. This data can prove invaluable in incident response by pinpointing attacker activity across an organization.