In the overall field of cybersecurity, incident response is the strategy that covers how teams, organizations, and tools respond to security events. Typically, you use an incident response plan (IRP) to outline the practices and resources used during cyber security events. While there is much to be said about the composition of an IRP, this article focuses on incident response tooling, including an overview of different IR tools and a review of top open source solutions.
What Is Incident Response?
Incident response (IR) is a strategy you can use to respond to and recover from security incidents. It includes procedures and processes for detecting, identifying, halting, and recovering from an incident. It also typically includes steps to protect your systems from future attacks by applying knowledge gained during response.
Incident response is performed via an incident response team using an incident response plan. The primary goals of both team and plan include reducing the:
- Number of affected systems and users in an incident
- Length and depth of attack
- Amount of damage inflicted by an attack
- Length of recovery time
- Cost of remediation and recovery
Types of Incident Response Tools
When implementing your incident response strategy, there are a variety of tools you can incorporate. These tools can help your teams respond faster and more effectively to most incident types. Many tools can also help you automate monitoring and responses, allowing you to better optimize your resources.
Below is a breakdown of the most commonly used tools:
IR tool type | Tool description | Examples of tools |
---|---|---|
System information and event management (SIEM) | SIEM solutions are used to collect and aggregate data from logs created by applications, host systems, and network and security tools. These solutions analyze and correlate data to provide insight into system and network events. Solutions can help teams identify, investigate, and track possible incidents. | Exabeam, AlienVault OSSIM, QRadar, USM, ESM |
Intrusion detection system (IDS) | IDS monitors your network and systems for suspicious activity or known threats. Often, these tools use a combination of behavior baselines and attack signatures to identify events. These tools can then feed attack information to SIEMs for centralization. | Snort, Suricata, BroIDS, OSSEC |
Netflow analyzer | Netflow analyzers evaluate network traffic internally and across your perimeter. These tools enable you to track activity as it travels across your network, including protocols used and assets accessed. | Ntop, NfSen, Nfdump |
Vulnerability scanner | Vulnerability scanners enable you to assess your systems for known issues and vulnerabilities. For example, out-of-date software or misconfigurations. These tools can provide you with an inventory of your risks and recommendations for remediating issues. | OpenVAS |
Availability monitoring | Availability monitoring tools help you monitor your networks to identify the status of applications or devices. These tools can help you identify drops in performance or device failures early on to limit the impact on your systems and services. | Nagios |
Web proxy | Web proxies enable you to control what websites are accessed through your network and to log what connections are made. These tools can help you track threats that stem from HTTP connections. | Squid Proxy, IPFire |
Top Open-Source Incident Response Tools
Depending on the level of protection you need and the amount of in-house expertise you have, there are numerous open-source tools you can use. Below are five of the top tools you should consider.
GRR Rapid Response
GRR Rapid Response is an incident response framework, developed by Google, that you can use to investigate incidents and collect forensic evidence. It is composed of a client, deployed on the systems you want to investigate, and a server that provides a web-based GUI and API endpoint. GRR Rapid Response is designed to enable you to perform forensic analyses at scale and can operate on hundreds of thousands of machines.
Features of GRR Rapid Response include:
- Client libraries in Python, Go, and PowerShell
- Data export in a variety of formats
- Automated scheduling capabilities
- Asynchronous messaging for scalability
AlienVault OSSIM
AlienVault OSSIM is a SIEM that was recently incorporated into AT&T’s cybersecurity offerings. It incorporates information from the AlienVault® Open Threat Exchange® (OTX™) to ensure that your system is protected with the latest threat information.
You can use AlienVault OSSIM on-premises or in virtual environments, such as the cloud. However, the open-source version can only be deployed on a single server. If you want to federate servers, you can upgrade to the paid version.
Features of AlienVault OSSIM include:
- Asset discovery
- Vulnerability assessments
- Intrusion detection
- Behavior monitoring
- Event correlation
Malware Information Sharing Platform (MISP)
MISP is a threat intelligence sharing platform you can use to gather, store, correlate, and share threat intelligence. This includes indicators of compromise (IoCs), vulnerability information, financial fraud data, and counter-terrorism information. The purpose behind MISP is to enable organizations to help each other more accurately identify threats and develop methods for detecting threats sooner.
Features of MISP include:
- Database of IoCs
- Automated correlation engines
- Flexible data model
- Intuitive user interface
- Ability to export and import data in a variety of formats
TheHive
TheHive is a four in one incident response platform that integrates with MISP. It is designed to enable security teams to collaborate in real-time, monitor systems from a central dashboard, and automate responses. TheHive incorporates another tool, Cortex, that enables you to analyze and automate the collection of network observables. For example, IP addresses, URLs, or hashes.
Features of TheHive include:
- Integrated analysis engine
- Integrated threat intelligence platform
- Authentication support
- Case and alert management capabilities
- Custom dashboards and reporting
Cyphon
Cyphon is an incident management and response platform that you can use to collect, process, and triage event data. It can collect data from a wide range of sources, including endpoint agents, IDS solutions, packets, vulnerability scanners, and cloud APIs. To use Cyphon, you need to be able to host a Docker container as the platform is designed as a set of microservices.
Features of Cyphon include:
- Data aggregation
- Centralized dashboard
- Custom alerting with push notifications
- Event prioritization
- Response tracking
Conclusion
As digital transformation continues to sweep over the globe, more data makes its way into the digital sphere. This is cause for celebration for hackers, who enjoy an increase in the resource they can steal, ransom, sell, and mine for crypto purposes. However, not every attack needs to result in a breach.
With the help of incident response tooling, you can ensure that your devices, systems, and networks are monitored continuously. You can set up your IR tools to alert you during an incident, so you can respond swiftly, counter the attack, and prevent a breach on your systems. For efficient response, be sure to centralize controls, and configure alerts with as less false positives as possible.
Top comments (0)