When we talk about incident security response, we must keep a close eye on the tools we need to deploy, how to determine, screen, contain, and effective responses. In this article, we will talk about some of the tools and best practices to help your organization make the most appropriate decision at each phase of research.

It is important to start with Triad A: Ammunition, Attribution, and Awareness. In summary for an efficient defense of the network, it is necessary to have the right capabilities (tools and resources) to identify the necessary tasks, as well as, increase awareness to reduce the volume and impact of cyber incidents.

Ammunition: These are the incident response tools. Later we will highlight some of the first open-source tools.
Attribution: It is important to understand where an attack comes from in order to understand the hacker's intent and technique. Whenever possible use Cyber Threat Intelligence techniques to do so in real-time.
Awareness: The most fundamental security control is the instructed and conscious user. It is important to think about security awareness actions and programs in your organization.

It is important to note that we will indicate some of the most widely used open-source tools on the market, however, in some cases it may be necessary to examine business options for certain features, depending on the needs and specificities of your organization.

These tools will be highlighted based on the OODA, which was developed by U.S. Air Force military strategist John Boyd, the OODA cycle provides an effective structure for incident response.
incident response_EN.jpg

OBSERVE: Use safety monitoring to identify anomalous behavior that may require investigation.
Tool Why it is necessary Open Source
IIntrusion Detection Systems (IDS) — Network & Host-based

DS'es (HIDS and NIDS) monitor server and network activity in real time and typically use attack signatures or baselines to identify and issue an alert when known attacks or suspicious activity occur on a server (HIDS) or network (NIDS)




Netflow Analyzers

Examine actual traffic within a network (and through perimeter gateways). Whether your organization is tracking a particular segment of activity or just having a proper idea of which protocols and are in use on your network and which assets are communicating with each other, the net flow is an excellent approach.



Availability Monitoring

The primary goal of incident response is to avoid downtime as much as possible. An application or service failure may be the first sign of a running incident. Nagios

ORIENT: Evaluate what is happening in the cyber threat landscape and within your organization. Make real-time logical and context calls to focus on priority events.
Ferramenta Why it is necessary Open Source
Asset Inventory

To know which events to prioritize, you will need to understand the list of critical systems on your network and what software is installed. Essentially, you need to understand your environment to assess the criticality of the incident as part of the Guidance/Screening process.
The best way to do this is to have an automatic asset discovery and inventory that you can update.
OCS Inventory

Threat Intelligence Security Research

Threat intelligence provides global information about real-world threats, such as: compromise indicators, poorly reputed IP addresses, command servers, and control among others, can be applied to your own network assets to provide a complete context for the threat.

AlienVault OTX

AlienVault Labs

DECIDE: Based on observations and context, choose the best tactic for minimal damage and faster recovery.
Tool Why it is necessary Open Source
Your Organization's Corporate Security Policy

There are no "Decision" tools and until A I is at a higher level of development, the decision remains through human resource.
Decide based on the information you have, which includes the tools indicated in this document, as well as your organization's security policy.

ACT: Recover. Improve incident response procedures based on lessons learned.
Tool Why it is necessary Open Source
Data Capture & Incident Response Forensics Tools

Data capture and forensic incident response analysis tools are a broad category that covers all types of media.
They are tools for digital media with the objective of identifying, preserving, retrieving, analyzing and presenting facts and opinions about digital information, all with the objective of creating a track for legal audit.
SANS Investigative Forensics Toolkit (SIFT)

System Backup & Recovery Tools

Patch Mgmt. and Other Systems Mgm
Patch management tools and system backup are not new, but it is important to include them here since an incident will need your feature.

Opsi (Open PC Server Integration)

Como podemos ajudar?
Fale Connosco