curator-opensearch VS Malcolm

The heavy lifting of this is CISA's Malcom [1]. Unfortunately the blog posts only provides a non-linked bullet to it [2]. Seth Grover, the main driver behind Malcom, put a lot of effort over the years into creating a turnkey soc-in-a-box distro that works especially well for an network-first approach. Endpoint isn't neglected, but the focus on Zeek, Suricata, Arkime shows the primary visibility drivers. This is not surprising, because CISA also developed a bunch of custom ICS protocol dissectors that provide visibility (DNP3, Modbus, etc.). The list is impressive [3]. All of this is turnkey available by running Malcom. Especially for OT, where we have a lot more unmanaged black boxes and networks that you don't wanna actively scan (factories have been brought down this way), passively watching is a safe and powerful approach.

It's a bit unfortunate that Kali didn't give the props to Seth's project (not even an outbound link). Perhaps this was just an oversight, or a spotlight blog post is coming later, but I hope that the history of this gets properly acknowledged, because it's darn clear where this comes from.

[1]: https://github.com/cisagov/Malcolm

[2]: https://www.kali.org/blog/kali-linux-2023-1-release/

[3]: https://cisagov.github.io/Malcolm/docs/protocols.html

Now on the higher end level, I have a laptop I used for packet capture and sniffing. Using a small network tap device, I can hook this inline anywhere one suspects a potential issue. Then use software of your choice to capture and analyze data over a few days. Two I use for this purpose, along with cyber threat analysis are NTOPNG and Malcolm, a very poweful free opensource platform made by a brilliant guy at CISA. Link to git repo here. https://github.com/cisagov/Malcolm