Chapter Four
Incident Response Tools
Any discussion of incident response deserves a close look at the tools that you’ll need for effective incident detection, triage, containment and response. We’ll cover the best tools for each function, we’ll share resources for how to learn how and when to use them, and we’ll explain how to determine the attack source. That way, you’ll know the right decision to make at each stage of the investigation.
The Three A’s of Incident Response
In order to be effective in defending your company’s network, you’ll need the right Ammunition, you’ll aspire to identify proper Attribution, and you’ll focus on increasing Awareness as a way to reduce the volume and impact of cyber incidents on your company. Still not clear on the A’s? Read on...
Ammunition: Most incident responders will want to spend most of their time here, downloading and customizing incident response tools - open source as well as proprietary. Why? Because it’s fun, and that’s what cyber geeks tend to like to do… code. We’ll mostly cover open source incident response tools in this chapter, and we’ll also use the OODA loop framework from Chapter Two so you’ll know when to use which tool and why.
Attribution: Understanding where an attack is coming from can help you understand an attacker’s intention as well as their technique, especially if you use real-time threat intelligence to do so. We’ll cover the basics of attribution, and include some free and open resources to keep you updated on who might be attacking your company based on the latest collaborative threat intelligence.
Awareness: The most fundamental security control is an educated and aware user. While we plan to go deep into incident response training in the next chapter, in this chapter we’ll cover some of the highlights you’ll want to consider as you update your security awareness program. The biggest takeaway here is that every incident should be examined as a way to improve your overall security program, with awareness as a key part of that.
Incident Response Tools & the OODA Loop
Disclaimer: Our preference is for open source incident response tools, and so we’ve provided recommendations on some of the best open source options. Keep in mind that your mileage may vary. In some cases, you may need to look at proprietary options for certain capabilities. That said, you’ll have to go somewhere else for recommendations on vendor tools (unless they’re built by aliens, in which case, you’re in the right place).
For a refresher on the OODA loop: check out Chapter Two. Developed by US Air Force military strategist John Boyd, the OODA loop provides an effective framework for incident response.
Observe: Use Security Monitoring To Identify Anomalous Behavior That May Require Investigation.
Log Analysis, Log Management, SIEM
Logs are your richest source for understanding what’s going on in your network, but you’ll need an IR tool that makes sense of all of those logs, and that’s what log analysis is all about.
- OSSIM (open source security information management)
Intrusion Detection Systems (IDS) — Network & Host-based
IDS’es (HIDS and NIDS) monitor server and network activity in real-time, and typically use attack signatures or baselines to identify and issue an alert when known attacks or suspicious activities occur on a server (HIDS) or on a network (NIDS).
Netflow Analyzers
Netflow analyzers examine actual traffic within a network (and across the border gateways too). If you are tracking a particular thread of activity, or just getting a proper idea of what protocols are in use on your network, and which assets are communicating amongst themselves, netflow is an excellent approach.
Vulnerability Scanners
Vulnerability scanners identify potential areas of risk, and help to assess the overall attack surface area of an organization, so that remediation tasks can be implemented.
Availability Monitoring
The whole point of incident response is to avoid downtime as much as possible. So make sure that you have availability monitoring in place, because an application or service outage could be the first sign of an incident in progress.
Web Proxies
Web Proxies are thought of as being purely for controlling access to websites, but their ability to log what is being connected to is vital. So many modern threats operate over HTTP – being able to log not only the remote IP address, but the nature of the HTTP connection itself can be vital for forensics and threat tracking.
Orient: Evaluate What’s Going On In The Cyber Threat Landscape & Inside Your Company. Make Logical Connections & Real-Time Context To Focus On Priority Events.
Asset Inventory
In order to know which events to prioritize, you’ll need an understanding of the list of critical systems in your network, and what software is installed on them. Essentially, you need to understand your existing environment to evaluate incident criticality as part of the Orient/Triage process. The best way to do this is to have an automated asset discovery and inventory that you can update when things change (and as we know, that’s inevitable).
Threat Intelligence Security Research
Threat intelligence gives you global information about threats in the real world. Things like indicators of compromise (IoCs), bad reputation IP addresses, command-and-control servers and more, can be applied against your own network assets, to provide a full context for the threat.
- OSSIM (open source security information management)
Decide: Based On Observations & Context, Choose The Best Tactic For Minimal Damage & Fastest Recovery.
Your Company’s Corporate Security Policy*
Hard Copy Documentation (notebook, pen, and clock)
If this section looks familiar, it’s not deja vu… it’s because it IS familiar… These are the same recommendations we made in the Decide section in Chapter Two.
Insider secret: There are no “Decide” tools, and until AI is truly a “thing,” we’ll keep having to do what humans do, use our brains. Decide based on the information you have at your disposal, which includes the tools above, as well as your own company’s security policy.
Act: Remediate & Recover. Improve Incident Response Procedures Based On Lessons Learned.
Data Capture & Incident Response Forensics Tools
Data Capture & Incident Response Forensics tools is a broad category that covers all types of media (e.g. memory forensics, database forensics, network forensics, etc.). Incident Response Forensics tools examine digital media with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information, all designed to create a legal audit trail.
System Backup & Recovery Tools
Patch Mgmt. and Other Systems Mgmt
System backup and recovery and patch management tools might be something you’ve already got in place, but it’s important to include them here since an incident is when you’ll likely need them most.
Security Awareness Training Tools and Programs
Security awareness training tools and programs are an essential way to improve your overall security posture and reduce the likelihood of incidents.
* If you haven’t written a corporate security policy yet, and need assistance, you can contact a few associations for free resources and guidance like Educause. In addition to Charles Cresson Wood’s Information Security Policies Made Easy, there are also a number of vendors who sell information security policy templates, here’s one example.
Identifying Ownership on the Anonymous Internet
One of the most underrated IR tools is one of the most obvious, if you start thinking about infosec like Sherlock Holmes would. Uncovering a mystery for Sherlock started and ended with the motivation and attribution of the criminal under investigation.
Who is this and what do they want?
The challenge for the incident responder is that someone’s “identity” on the Internet is exceedingly difficult to determine with any reliability and certainty on your own. IP address and domain ownership aren’t terribly easy to interpret, and as you likely know, anyone can easily anonymize their connection through proxies and other means.
That said, there are certain tricks and tools you can deploy to get better insight into who and where these nefarious characters are, and more on what they want and the techniques they deploy to get it.
Answer:
Public IP addresses are sold to organizations in blocks of varying sizes. Just as how Domain names have their registration information listed with a registrar, public IP networks have the information available publicly via network registrars.
- ARIN (North America)
- APNIC (Asia-Pacific)
- RIPE (Europe, Russia and the Middle East)
- AFRINIC (Africa)
- LACNIC (Latin America)
These registrars maintain their own WHOIS services, but for networks instead of Domains. Here’s a query against ARIN for the address 192.168.3.56
- NetRange: 192.168.0.0 - 192.168.255.255
- CIDR: 192.168.0.0/16
- OriginAS:
- NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED*
- NetHandle: NET-192-168-0-0-1
- Parent: NET-192-0-0-0-0
- NetType: IANA Special Use
Resources:
You’re likely familiar with the concept of RFC 1918 addresses that are dedicated for use on trusted networks, behind firewalls and other gateway devices vs. the open Internet. If not, you can read more about this here:
Answer:
Organizations are free to use their assigned IP space wherever they wish, but to make it reachable over the Internet, they must inform other major Internet-connected routers how to reach that IP space, via Border Gateway Protocol (BGP).
BGP assigns traffic destinations on the Internet by mapping IP networks to Autonomous System (AS) numbers. Each Internet-connected organization receives an AS number to identify them by.
AS numbers are assigned to a legal entity (e.g. a corporation) – though a company may own more than one AS, this is uncommon exception for backbone carriers.
Resources:
The CIDR Report website is the easiest publicly accessible tool for listing all networks currently assigned to an Autonomous System.
Answer:
Because the resolution of a domain name to an IP address is controlled by the owner of the domain, there is no central registry of mappings. There are however independent projects that map the Internet and maintain public registries of the most recently-seen mapping of domain to address.
Resources:
https://www.robtex.com/ is an excellent multi-purpose tool for information about domains, addresses, and networks.
http://domainbyip.com/ provides a free lookup service for domains pointing to a single IP address.
Answer:
Several services attempt to maintain registries of approximate mappings of the physical location of the organization, network or system an IP address is currently assigned to.
Insider tip: Physical Location of an IP address is of somewhat limited value to the DFIR analyst in most aspects of their work. The organization that owns the address space is usually of more relevance for identifying connections between addresses. Information networks are not limited by geographic boundaries.
Resources:
http://www.maxmind.com is recognized as somewhat of the defacto industry leader for this service – they offer a limited free service with more detailed information offered on a subscription basis.
http://freegeoip.net/ is a community-funded service that provides automation services and detailed location information.
Answer:
IP addresses are, by their nature, a logical not physical identifier – networks can be re-assigned from one side of the planet to another, within a few hours at the very most.
Most location information about IP addresses is derived from the location of the organization that owns it. A multinational corporation may have networks across 5 continents, but all its address space will likely be registered to the location of the company’s HQ.
Like all information kept up to date via the aggregation of data from multiple sources, geo location Information accuracy will vary from point to point, IP address to IP address.
Resources:
Security is Everyone’s Job
Security awareness is sort of like motherhood. It’s one of the hardest jobs because it’s the most important yet least respected, and if everyone did it properly, we’d likely put an end to war around the world, right?
In all seriousness, every post-incident examination should include an assessment of your overall security posture especially, the security awareness program. Regardless of the root cause of the incident, it’s still important to revisit how a more security-savvy employee community could have averted the crisis.
This isn’t the part of the guide where we bash dumb users. Seriously. Phishing and spear-phishing campaigns can fool even the most sophisticated users. In fact, an estimated 91% of hacking attacks begin with a phishing or spear-phishing email . This type of tactic fooled a White House employee earlier this year, which is believed to be the source behind a Russian attack against an unclassified system on the US White House’s network.
So examine each investigation with the perspective of understanding where your security awareness program could have prevented that incident, or minimized its impact, if only those lessons, guidelines, or tips were shared with your employees ahead of time.
And speaking of security awareness lessons, guidelines, and tips, read more in our next chapter, Incident Response Training >