Beruflich Dokumente
Kultur Dokumente
B E
TO
OPEN SOURCE
INCIDENT RESPONSE
TOOLS & RESOURCES
Beginners Guide to Open
Source Incident Response
Tools & Resources
Any discussion of incident response deserves a close look
at the tools that youll need for effective incident detection,
triage, containment and response. In this beginners guide,
youll read about the best open source tools for each
function, well share resources for how to learn how and
when to use them, and well explain how to determine the
attack source. That way, youll know the right decision to
make at each stage of the investigation.
The Three As of Incident Response
In order to be effective in defending your companys network,
youll need the right Ammunition, youll aspire to identify
proper Attribution, and youll focus on increasing Awareness as
a way to reduce the volume and impact of cyber incidents on
your company. Still not clear on the As? Read on...
A
AMMUNITION: Most incident responders will want to spend
most of their time here, downloading and customizing incident
response tools. Why? Because its fun, and thats what cyber
geeks tend to like to do code. Well use the OODA loop
framework so youll know when to use which tool and why.
2
Ammunition:
Incident Response Tools & the OODA Loop
Its not unusual to see a lot of InfoSec Imagine youre a pilot in a dogfight. You
warriors use military terms or phrases to need a tool to determine the best way to act
describe what we do. Things like DMZ as quickly as possible when youre under
and command and control are obvious attack. Its a useful analogy when applied to
examples, but one of the best that Ive seen selecting incident response tools.
for incident response is the OODA Loop.
Developed by US Air Force military strategist In this section well look at open source tools
John Boyd, the OODA loop stands for and why you need them in each stage of the
Observe, Orient, Decide, and Act. OODA loop.
OODA Loop
3
OBSERVE
Use security monitoring to identify anomalous
OBSERVE behavior that may require investigation.
Log Analysis, Log Logs are your richest source for OSSIM (open source
Management, SIEM understanding whats going on in your security information
network, but youll need an IR tool that management)
makes sense of all of those logs, and
thats what log analysis is all about.
4
OBSERVE
Use security monitoring to identify anomalous
OBSERVE cont. behavior that may require investigation.
5
ORIENT
Evaluate whats going on in the cyber threat landscape & inside your company.
ORIENT Make logical connections & real-time context to focus on priority events.
6
DECIDE
Based on observations and context, choose the best
DECIDE tactic for minimal damage and fastest recovery.
You Companys There are no Decide tools, and until AI Your good ol noggin
Corporate Security is truly a thing, well keep having to do
Policy*; Hard Copy what humans do, use our brains. Decide
Documentation based on the information you have at your
(notebook, pen, and disposal, which includes the tools above, as
clock) well as your own companys security policy.
* If you havent written a corporate security policy yet, and need assistance, you can contact a
few associations for free resources and guidance like Educause. In addition to Charles Cresson
Woods Information Security Policies Made Easy, there are also a number of vendors who sell
information security policy templates, heres one example.
7
ACT
Remediate and recover. Improve incident response
ACT procedures based on lessons learned.
Data Capture & Data Capture & Incident Response SANS Investigative
Incident Response Forensics tools is a broad category that Forensics Toolkit
Forensics Tools covers all types of media (e.g. memory (SIFT)
forensics, database forensics, network Sleuthkit
forensics, etc.). Incident Response
Forensics tools examine digital media
with the aim of identifying, preserving,
recovering, analyzing and presenting facts
and opinions about the digital information,
all designed to create a legal audit trail.
System Backup & System backup and recovery and patch Opsi (Open PC
Recovery Tools management tools might be something Server Integration)
Patch Management youve already got in place, but its important
and Other Systems to include them here since an incident is
Management when youll likely need them most.
8
Attribution:
Identifying Ownership on the Anonymous Internet
One of the most underrated IR tools is one Who is this and what do they want?
of the most obvious, if you start thinking The challenge for the incident responder
about infosec like Sherlock Holmes would. is that someones identity on the Internet
Uncovering a mystery for Sherlock started is exceedingly difficult to determine with
and ended with the motivation and attribution any reliability and certainty on your own.
of the criminal under investigation. IP address and domain ownership arent
terribly easy to interpret, and as you likely
know, anyone can easily anonymize their
connection through proxies and other means.
In social psychology, attribution
is the process by which That said, there are certain tricks and tools
individuals explain the causes you can deploy to get better insight into
of behavior and events. who and where these nefarious characters
are, and more on what they want and the
techniques they deploy to get it.
9
Question #1: Which network does an IP address belong to?
Answer Resources
Public IP addresses are sold to organizations in blocks Youre likely familiar
of varying sizes. Just as how Domain names have their with the concept of RFC
registration information listed with a registrar, public 1918 addresses that are
IP networks have the information available publicly via dedicated for use on trusted
network registrars. networks, behind firewalls
and other gateway devices
ARIN (North America) vs. the open Internet. If not,
APNIC (Asia-Pacific) you can read more about
RIPE (Europe, Russia and the Middle East) this here:
AFRINIC (Africa) http://en.wikipedia.org/wiki/
LACNIC (Latin America) Regional_Internet_registry
10
Question #2: How do I find all networks that belong to an organization?
Resources Answer
The CIDR Report website Organizations are free to use their assigned IP space
is the easiest publicly wherever they wish, but to make it reachable over the
accessible tool for listing all Internet, they must inform other major Internet-connected
networks currently assigned routers how to reach that IP space, via Border Gateway
to an Autonomous System. Protocol (BGP).
Resources Answer
https://www.robtex.com/ is Because the resolution of a domain name to an IP
an excellent multi-purpose address is controlled by the owner of the domain, there
tool for information about is no central registry of mappings. There are however
domains, addresses, and independent projects that map the Internet and maintain
networks. public registries of the most recently-seen mapping of
domain to address.
http://domainbyip.com/
provides a free lookup
service for domains pointing
to a single IP address.
http://www.domaintools.com/
is a commercial service
that provides a wealth
of information (including
historical information) about
domains.
11
Question #4: How do I find the location of an IP address?
Answer Resources
Several services attempt to maintain registries of http://www.maxmind.com is
approximate mappings of the physical location of the recognized as somewhat of
organization, network or system an IP address is currently the defacto industry leader
assigned to. for this service they offer a
limited free service with more
Insider tip: Physical Location of an IP address is of detailed information offered
somewhat limited value to the DFIR analyst in most on a subscription basis.
aspects of their work. The organization that owns the
address space is usually of more relevance for identifying http://freegeoip.net/ is a
connections between addresses. Information networks community-funded service
are not limited by geographic boundaries. that provides automation
services and detailed
location information.
Answer Resources
IP addresses are, by their nature, a logical not physical AlienVault OTX
identifier networks can be re-assigned from one side of
the planet to another, within a few hours at the very most.
12
Awareness:
Security is Everyones Job
WIKIP E D IA
13
About AlienVault
AlienVault has simplified the way organizations detect and
respond to todays ever evolving threat landscape. Our
unique and award-winning approach, trusted by thousands of
customers, combines the essential security controls of our all-
in-one platform, AlienVault Unified Security Management, with
the power of AlienVaults Open Threat Exchange, the worlds
largest crowd-sourced threat intelligence community, making
effective and affordable threat detection attainable for resource-
constrained IT teams. AlienVault is a privately held company
headquartered in Silicon Valley and backed by Trident Capital,
Kleiner Perkins Caufield & Byers, Institutional Venture Partners,
GGV Capital, Intel Capital, Jackson Square Ventures, Adara
Venture Partners, Top Tier Capital and Correlation Ventures.
Next Steps
Explore AlienVault USM Online Demos
Watch a Quick
Overview Video