This post was originally published here by James Fritz.
Any discussion of incident response deserves a close look at the tools that you’ll need for effective incident detection, triage, containment and response. In this post, you’ll read about the best open source tools for each function, we’ll share resources for how to learn how and when to use them, and we’ll explain how to determine the attack source. That way, you’ll know the right decision to make at each stage of the investigation.
The Three A’s of Incident Response
In order to be effective in defending your company’s network, you’ll need the right Ammunition, you’ll aspire to identify proper Attribution, and you’ll focus on increasing Awareness as a way to reduce the volume and impact of cyber incidents on your company. Still not clear on the A’s? Read on…
AMMUNITION: Most incident responders will want to spend most of their time here, downloading and customizing incident response tools. Why? Because it’s fun, and that’s what cyber geeks tend to like to do… code. We’ll use the OODA loop framework so you’ll know when to use which tool and why.
ATTRIBUTION: Understanding where an attack is coming from can help you understand an attacker’s intention as well as their technique, especially if you use real-time threat intelligence to do so. We’ll cover the basics of attribution, and include some free and open resources to keep you updated on who might be attacking your company based on the latest collaborative threat intelligence.
AWARENESS: The most fundamental security control is an educated and aware user. We’ll cover some of the highlights you’ll want to consider as you update your security awareness program. The biggest takeaway here is that every incident should be examined as a way to improve your overall security program, with awareness as a key part of that.
Ammunition: Incident Response Tools & the OODA Loop
It’s not unusual to see a lot of InfoSec warriors use military terms or phrases to describe what we do. Things like DMZ and “command and control” are obvious examples, but one of the best that I’ve seen for incident response is the OODA Loop. Developed by US Air Force military strategist John Boyd, the OODA loop stands for Observe, Orient, Decide, and Act.
Imagine you’re a pilot in a dogfight. You need a tool to determine the best way to act as quickly as possible when you’re under attack. It’s a useful analogy when applied to selecting incident response tools.
In this section we’ll look at open source tools and why you need them in each stage of the OODA loop.
Observe
Use security monitoring to identify anomalous behavior that may require investigation. |
||
---|---|---|
Type of IR Tool | Why You Need It | Open Source Options |
Log Analysis, Log Management, SIEM | Logs are your richest source for understanding what’s going on in your network, but you’ll need an IR tool that makes sense of all of those logs, and that’s what log analysis is all about. |
|
Intrusion Detection Systems (IDS) — Network & Host-based | IDS’es (HIDS and NIDS) monitor server and network activity in real-time, and typically use attack signatures or baselines to identify and issue an alert when known attacks or suspicious activities occur on a server (HIDS) or on a network (NIDS). | |
Netflow Analyzers | Netflow analyzers examine actual traffic within a network (and across the border gateways too). If you are tracking a particular thread of activity, or just getting a proper idea of what protocols are in use on your network, and which assets are communicating amongst themselves, netflow is an excellent approach. | |
Vulnerability Scanners | Vulnerability scanners identify potential areas of risk, and help to assess the overall attack surface area of an organization, so that remediation tasks can be implemented. | |
Availability Monitoring | The whole point of incident response is to avoid downtime as much as possible. So make sure that you have availability monitoring in place, because an application or service outage could be the first sign of an incident in progress. | |
Web Proxies | Web Proxies are thought of as being purely for controlling access to websites, but their ability to log what is being connected to is vital. So many modern threats operate over HTTP – being able to log not only the remote IP address, but the nature of the HTTP connection itself can be vital for forensics and threat tracking. |
Orient
Evaluate what’s going on in the cyber threat landscape & inside your company. Make logical connections & real-time context to focus on priority events. |
||
---|---|---|
Type of IR Tool | Why You Need It | Open Source Options |
Asset Inventory | In order to know which events to prioritize, you’ll need an understanding of the list of critical systems in your network, and what software is installed on them. Essentially, you need to understand your existing environment to evaluate incident criticality as part of the Orient/Triage process. The best way to do this is to have an automated asset discovery and inventory that you can update when things change (and as we know, that’s inevitable). | |
Threat Intelligence; Security Research | Threat intelligence gives you global information about threats in the real world. Things like indicators of compromise (IoCs), bad reputation IP addresses, command-and-control servers and more, can be applied against your own network assets, to provide a full context for the threat. |
Decide
Based on observations and context, choose the best tactic for minimal damage and fastest recovery. |
||
---|---|---|
Type of IR Tool | Why You Need It | Open Source Options |
You Company’s Corporate Security Policy*; Hard Copy Documentation (notebook, pen, and clock) | There are no “Decide” tools, and until AI is truly a “thing,” we’ll keep having to do what humans do, use our brains. Decide based on the information you have at your disposal, which includes the tools above, as well as your own company’s security policy. |
* If you haven’t written a corporate security policy yet, and need assistance, you can contact a few associations for free resources and guidance like Educause. In addition to Charles Cresson Wood’s Information Security Policies Made Easy, there are also a number of vendors who sell information security policy templates.
Act
Remediate and recover. Improve incident response procedures based on lessons learned. |
||
---|---|---|
Type of IR Tool | Why You Need It | Open Source Options |
Data Capture & Incident Response Forensics Tools | Data Capture & Incident Response Forensics tools is a broad category that covers all types of media (e.g. memory forensics, database forensics, network forensics, etc.). Incident Response Forensics tools examine digital media with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information, all designed to create a legal audit trail. | |
System Backup & Recovery Tools Patch Management and Other Systems Management | System backup and recovery and patch management tools might be something you’ve already got in place, but it’s important to include them here since an incident is when you’ll likely need them most. | |
Security Awareness Training Tools and Programs | Security awareness training tools and programs are an essential way to improve your overall security posture and reduce the likelihood of incidents. |
Attribution: Identifying Ownership on the Anonymous Internet
One of the most underrated IR tools is one of the most obvious, if you start thinking about infosec like Sherlock Holmes would. Uncovering a mystery for Sherlock started and ended with the motivation and attribution of the criminal under investigation.
Who is this and what do they want? The challenge for the incident responder is that someone’s “identity” on the Internet is exceedingly difficult to determine with any reliability and certainty on your own. IP address and domain ownership aren’t terribly easy to interpret, and as you likely know, anyone can easily anonymize their connection through proxies and other means.
That said, there are certain tricks and tools you can deploy to get better insight into who and where these nefarious characters are, and more on what they want and the techniques they deploy to get it.
In this next section, we’ll go through a series of Q&A’s to learn best practices on identifying ownership on the anonymous internet.
Question #1 Which network does an IP address belong to? |
|
---|---|
Answer | Resources |
Public IP addresses are sold to organizations in blocks of varying sizes. Just as how Domain names have their registration information listed with a registrar, public IP networks have the information available publicly via network registrars.
These registrars maintain their own WHOIS services, but for networks instead of Domains. Here’s a query against ARIN for the address 192.168.3.56
|
You’re likely familiar with the concept of RFC 1918 addresses that are dedicated for use on trusted networks, behind firewalls and other gateway devices vs. the open Internet. If not, you can read more about this here: http://en.wikipedia.org/wiki/Regional_Internet_registry |
Question #2 How do I find all networks that belong to an organization? |
|
---|---|
Answer | Resources |
Organizations are free to use their assigned IP space wherever they wish, but to make it reachable over the Internet, they must inform other major Internet-connected routers how to reach that IP space, via Border Gateway Protocol (BGP). BGP assigns traffic destinations on the Internet by mapping IP networks to Autonomous System (AS) numbers. Each Internet-connected organization receives an AS number to identify them by./p> AS numbers are assigned to a legal entity (e.g. a corporation) – though a company may own more than one AS, this is an uncommon exception for backbone carriers. |
The CIDR Report website is the easiest publicly accessible tool for listing all networks currently assigned to an Autonomous System. |
Question #3 How do I find what domains point to an IP address? |
|
---|---|
Answer | Resources |
Because the resolution of a domain name to an IP address is controlled by the owner of the domain, there is no central registry of mappings. There are however independent projects that map the Internet and maintain public registries of the most recently-seen mapping of domain to address. |
https://www.robtex.com/ is an excellent multi-purpose tool for information about domains, addresses, and networks Domainbyip.com provides a free lookup service for domains pointing to a single IP address. http://www.domaintools.com/is a commercial service that provides a wealth of information (including historical information) about domains. |
Question #4 How do I find the location of an IP address? |
|
---|---|
Answer | Resources |
Several services attempt to maintain registries of approximate mappings of the physical location of the organization, network or system an IP address is currently assigned to. Insider tip: Physical Location of an IP address is of somewhat limited value to the DFIR analyst in most aspects of their work. The organization that owns the address space is usually of more relevance for identifying connections between addresses. Information networks are not limited by geographic boundaries. |
http://www.maxmind.com is recognized as somewhat of the defacto industry leader for this service – they offer a limited free service with more detailed information offered on a subscription basis Domainbyip.com provides a free lookup service for domains pointing to a single IP address. http://freegeoip.net/ is a community-funded service that provides automation services and detailed location information. |
Question #4 How accurate is geolocation information? |
|
---|---|
Answer | Resources |
IP addresses are, by their nature, a logical not physical identifier – networks can be re-assigned from one side of the planet to another, within a few hours at the very most. Most location information about IP addresses is derived from the location of the organization that owns it. A multinational corporation may have networks across 5 continents, but all its address space will likely be registered to the location of the company’s HQ. Like all information kept up to date via the aggregation of data from multiple sources, geo location Information accuracy will vary from point to point, IP address to IP address. |
Awareness: Security is Everyone’s Job
Security awareness is sort of like motherhood. It’s one of the hardest jobs because it’s the most important yet least respected, and if everyone did it properly, we’d likely put an end to war around the world, right?
In all seriousness, every post-incident examination should include an assessment of your overall security posture especially, the security awareness program. Regardless of the root cause of the incident, it’s still important to revisit how a more security-savvy employee community could have averted the crisis.
This isn’t the part of the guide where we bash dumb users. Seriously. Phishing and spearphishing campaigns can fool even the most sophisticated users. In fact, an estimated 91% of hacking attacks begin with a phishing or spear-phishing email.
https://www.abstractapi.com/
So examine each investigation with the perspective of understanding where your security awareness program could have prevented that incident, or minimized its impact, if only those lessons, guidelines, or tips were shared with your employees ahead of time.
This blog post is an excerpt from the AlienVault Insider’s Guide to Incident Response. You can visit the full eBook here.