RESPOND AND PREVENT- SECURITY INCIDENT RESPONSE TOOLS
29/12/2020

When we talk about incident security response, we must keep a close eye on the tools we need to deploy, how to determine, screen, contain, and effective responses. In this article, we will talk about some of the tools and best practices to help your organization make the most appropriate decision at each phase of research.

It is important to start with Triad A: Ammunition, Attribution, and Awareness. In summary for an efficient defense of the network, it is necessary to have the right capabilities (tools and resources) to identify the necessary tasks, as well as, increase awareness to reduce the volume and impact of cyber incidents.

Ammunition: These are the incident response tools. Later we will highlight some of the first open-source tools.
Attribution: It is important to understand where an attack comes from in order to understand the hacker's intent and technique. Whenever possible use Cyber Threat Intelligence techniques to do so in real-time.
Awareness: The most fundamental security control is the instructed and conscious user. It is important to think about security awareness actions and programs in your organization.

OPEN SOURCE TOOLS
It is important to note that we will indicate some of the most widely used open-source tools on the market, however, in some cases it may be necessary to examine business options for certain features, depending on the needs and specificities of your organization.

These tools will be highlighted based on the OODA, which was developed by U.S. Air Force military strategist John Boyd, the OODA cycle provides an effective structure for incident response.
incident response_EN.jpg

OBSERVE: Use safety monitoring to identify anomalous behavior that may require investigation.
Tool Why it is necessary Open Source
IIntrusion Detection Systems (IDS) — Network & Host-based




DS'es (HIDS and NIDS) monitor server and network activity in real time and typically use attack signatures or baselines to identify and issue an alert when known attacks or suspicious activity occur on a server (HIDS) or network (NIDS)




Snort

Suricata

BroIDS

OSSEC
Netflow Analyzers




Examine actual traffic within a network (and through perimeter gateways). Whether your organization is tracking a particular segment of activity or just having a proper idea of which protocols and are in use on your network and which assets are communicating with each other, the net flow is an excellent approach.


Ntop

NfSen

Nfdump
Availability Monitoring

The primary goal of incident response is to avoid downtime as much as possible. An application or service failure may be the first sign of a running incident. Nagios



ORIENT: Evaluate what is happening in the cyber threat landscape and within your organization. Make real-time logical and context calls to focus on priority events.
Ferramenta Why it is necessary Open Source
Asset Inventory



To know which events to prioritize, you will need to understand the list of critical systems on your network and what software is installed. Essentially, you need to understand your environment to assess the criticality of the incident as part of the Guidance/Screening process.
The best way to do this is to have an automatic asset discovery and inventory that you can update.
OCS Inventory


Threat Intelligence Security Research



Threat intelligence provides global information about real-world threats, such as: compromise indicators, poorly reputed IP addresses, command servers, and control among others, can be applied to your own network assets to provide a complete context for the threat.


AlienVault OTX

AlienVault Labs



DECIDE: Based on observations and context, choose the best tactic for minimal damage and faster recovery.
Tool Why it is necessary Open Source
Your Organization's Corporate Security Policy


There are no "Decision" tools and until A I is at a higher level of development, the decision remains through human resource.
Decide based on the information you have, which includes the tools indicated in this document, as well as your organization's security policy.
N/A



ACT: Recover. Improve incident response procedures based on lessons learned.
Tool Why it is necessary Open Source
Data Capture & Incident Response Forensics Tools



Data capture and forensic incident response analysis tools are a broad category that covers all types of media.
They are tools for digital media with the objective of identifying, preserving, retrieving, analyzing and presenting facts and opinions about digital information, all with the objective of creating a track for legal audit.
SANS Investigative Forensics Toolkit (SIFT)


Sleuthkit
System Backup & Recovery Tools

Patch Mgmt. and Other Systems Mgm
Patch management tools and system backup are not new, but it is important to include them here since an incident will need your feature.



Opsi (Open PC Server Integration)



Default
Default
Como podemos ajudar?
Fale Connosco