Incident response is the organized practice of responding to cyber security events. These processes are typically organized into an incident response plan, which outlines the steps and tools the organizations should follow during events.
An incident response plan can and should differ between organizations, established to cover the specific needs of the security perimeter. However, the plan should typically cover six key steps—preparation, identification, containment, eradication, recovery, and lessons learned.
Since the incident response process is often circular, there are many repetitive tasks. To save time, you can delegate these tasks to dedicated tools. Read on to learn about the importance of incident response automation, and discover six popular tools.
What Is Incident Response Automation and Why Is It Important?
Incident response is a critical, time-sensitive activity, and in virtually all organizations security analyst time is scarce. It is impossible to manually review and investigate all alerts from modern security tools.
Automating incident response activities can help reduce the time it takes to mitigate a critical incident, preventing malware from spreading or stopping attackers from doing any more damage. It can also save time by allowing security teams to review more security events, and identify and investigate important potential incidents.
Incident response automation can help you:
- Quickly triage and identify relevant security incidents
- Investigate incidents more easily by automatically compiling all relevant data
- Automate incident response tasks, or even complete response and mitigation processes, using security playbooks
How to Choose the Right Incident Response Tool
When selecting an automated incident response tool, consider what part of the incident response process you need to automate. Some tools help you gather and make sense of data, while others help you automate actual response procedures. Other tools assist with detailed forensic investigations of security incidents. Most free tools provide a solution for only part of the incident response process, so you will need to combine several tools.
Also consider the skillset of your security team, to ensure you can be productive with the tools without a steep learning curve. A tool like SANS SIFT is very powerful but requires a deep understanding of forensics principles. Simpler tools like Cyphon can help you get up and running quickly and will be suitable for all but the most complex incidents.
A final consideration is deployment and integration—do you need to deploy the tool as a server, or will it run on analyst workstations? Do you need to deploy agents on specific machines? Is there a need to integrate additional security tools? This may affect the cost and complexity of the solution, even if the tool itself is free.
8 Free Tools to Automate Your Incident Response
TheHive makes it possible to work as a team to investigate security incidents. It is a Security Operations Center (SOC) orchestration system that lets teams collaborate to perform quality, timely searches on security data. Every search corresponds to a scenario, which may be broken down into one or more jobs. These tasks are claimed by security analysts in the SOC, who investigate them simultaneously. TheHive can also integrate with email, Security Information and Event Management (SIEM) systems and other sources via a Python API.
AlienVault OSSIM is an open source Security Information and Event Management (SIEM) system that connects to security tools and IT systems in an organization, gathers security-related events and data, and helps security teams make sense of it to identify security incidents. It provides asset discovery, vulnerability assessment, intrusion detection based on event data, behavioral analysis and event correlation rules.
3. GRR Rapid Response
Developed by Google security researchers, GRR is an agent-based cross-platform system that executes data collection tasks like memory evaluation, file and registry research, and device activity observation. The toolset includes job automation features like automatic scheduling for recurring tasks. It provides integrated scripting via an IPython console. GRR can be deployed at large scale across a large number of nodes.
Cyphon is an open source tool that enables security analysts to collect data, process it and identify incidents from raw security events. It can process sources like logs, APIs and emails, allowing analysts to decide how much data they want to see to conduct their investigation. It can also generate custom alerts, identify criticality of incidents, and track work performed by security analysts.
5. SANS Investigative Forensics Toolkit (SIFT)
The SANS Investigative Forensic Toolkit (SIFT) is a Ubuntu Live CD. It is composed of a range of tools for running forensic investigations.
SIFT supports the following formats:
- Advanced Forensic Format (AFF)
- RAW (dd) proof
- Expert Witness Format (E01)
SIFT provides capabilities like creating a timeline from system logs, file carving to extract specific evidence, and recycle bin analysis. It supports both Linux and Windows.
Volatility is a memory forensics platform that allows analysts to create memory dumps of systems affected by security incidents, and analyze their contents. Based on volatile memory data, the tool can analyze network activity, process IDs, process activity, DLLs, kernel memory and objects, registry scans, and more.
7. CrowdStrike CrowdResponse
CrowdResponse is a lightweight console application that can help you gather contextual information about security incidents, such as directory listing, process lists and scheduled system jobs. It can verify digital signatures of processes running on a system, and use embedded YARA signatures to scan a host for malware and document infections found.
8. Cyber Triage
Cyber Triage is a commercial tool that provides a free plan. It integrates SIEM and Intrusion Detection Systems (IDS) to gather data, identifies security incidents and scores them automatically, and allows security analysts to compare current security incidents to threat intelligence data.
Hopefully, this article has helped you better understand the importance of automating incident response processes. There are many (paid and free) automation tools, so if you haven’t found the right one for you, keep looking. Security tasks will continue to pile up, and automation can help you maintain continual visibility.
About the Author:
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.