Some people asked me what tools can be useful for Incident Response and for the CSIRT/CERT teams, so I decided to prepare list of such tools and seize the opportunity of the Open Source Weekend in Košice, Slovakia on 19th October. The motivation behind this list is help to enthusiasts and new teams to prepare and/or strengthen technical equipment needed for incident response with minimal costs. On the other hand, the participation of clever and engaged people is always required for similar tasks in cybersecurity, and use of Open Source and Free(ware) tools can have some caveats with need of more tinkering or adjustments. Yes, it is sometimes question of money vs time.

OSS Weekend slides, PDF, 2.7 MB

Team cooperation

Before the incident happens, it is important to establish team communication channels and cooperation methods. Examples of tools:

  • E-Mails, calendars, contacts
    • Postfix, Dovecot
    • Roundcube, RainLoop
    • ThunderBird
    • iRedMail, Zimbra
    • GPG - Kleopatra (yes, please encrypt at least your important emails containing sensitive information like PII or financial data)
  • Team chat:
    • Rocket.chat
    • Mattermost
  • Collaborative documents (notepads)
    • Etherpad
  • Wiki & Docs
    • MediaWiki, DokuWiki
    • MkDocs
  • Project and task management
    • OpenProject
    • Wekan
    • Kanboard
  • Secure access
    • 2FA
    • SSL/TLS client certificates - only authorized persons can access the interface (mitigation for exploiting unknown vulnerabilities in their interfaces)
  • Secure messaging, (group)calls, video, screen sharing
    • Signal, Telegram, Wire… but no one-fits-all

Incident handling, response, infoshare

Incident happened, what now? How to resolve and handle it? Start with ticketing and collecting information about it, triage, corelation with another known events and incidents in your constituency and with infosharing with other teams. Ingetrations between these tools and automatization of the tasks is important for save the time of analysts and allow them to focus to the main objectives of analysis instead of the collecting and researching pieces of (maybe relevant) information.

  • Ticketing system – with support of mails, calls, notes, customers, stats,…
    • RTIR, OTRS
    • Redmine
  • Incident management, collaboration
    • TheHive project
    • Demisto Free Community Edition
  • Monitoring and analysis of vulnerabilities, news, advisories
    • Taranis3 by NCSC-NL
  • IoC (Indicators of Compromise) sharing and malware detection
    • MISP (Malware Information Sharing Platform)
    • IoC Checker by CSIRT.SK
    • OpenIOC
  • OpenSource Intelligence and Recon
    • GeoIP tools, WhoIS, passive DNS
    • VirusTotal, Google Safe Browsing, urlscan.io, urlhaus
    • Google Dorks (GHDB)
    • Shodan, Censys, (nmap)
    • Maltego CE
    • TorBrowser, VPN, Proxy - hide your identity, access resources from various geolocations, check the difference
  • Feeds collecting and processing
    • IntelMQ, Warden
  • Threat Intelligence
    • RiskIQ, OpenCTI, MISP
    • ThreatMiner, ThreatConnect
    • ??Relevant Feeds??
    • RecordedFuture CyberDaily mailinglist

Forensics

Evidence acquisition and collection, forensics investigation and analysis.

  • Live Forensics and Incident Response
    • SysInternals Suite (ProcExp, Autoruns, Sysmon), Nirsoft utilities
    • CLI tools
    • debsums
  • Image acquisition and mounting
    • dcfldd, dc3dd, FTK Imager Lite
    • Affuse, winregfs
  • Log and filesystem processing
    • Photorec, recuva, diskdigger, scalpel
    • Lynis, ClamAV (and others AVs), chkrootkit, rkhunter
    • Log2Timeline + grep, sed, awk, perl, python + LibreOffice Calc (or Excel)
    • Log Parser Lizard
    • (autopsy), apache-scalp, ELK (Elastic+LogStash+Kibana)
  • Memory acquisition
    • FTK Imager Lite, winpmem, LIME
  • Memory analysis
    • Rekall, volatility
    • profiles
  • Endpoint analysis
    • Google Rapid Response (Rekall included)
  • Linux distributions
    • CAINE Live
    • Kali
    • SIFT Workstation

Malware analysis

During the incident response and forensics analysis there are often found malicous artifacts (or at least suspicious artifacts). Now is time for malware analysts and their tools of choice. Remember, integrations and automatization are our friends.

  • Online services

    • Repos and DB
      • VirusTotal, VirusShare
    • Sandboxes

      • Hybrid-analysis, Any.Run
    • Classification

      • Intezer, NoDistribute
  • Offline services

    • Repos and DB
      • viper
    • Sandboxes
      • Cuckoo
    • Classification
      • (IRMA), Malice, VirusChecker by CSIRT.SK
  • Static analysis

    • PE Tools, oletools
    • PEStudio, Resource hacker
    • Strings (also strings –e l)
    • Bytehist, densityscout
    • CyberChef, xortool
    • Didier Stevens Suite
    • Hiew Demo
    • Far Manager + plugins
    • Binvis.io
  • Behavioral analysis

    • VirtualBox, Qemu
      • “Free” windows: ReactOS, modern.ie
    • inetsim, dnsmasq, FakeNet-NG
    • SysInternals (procmon, sysmon)
    • NirSoft (NetworkTrafficView, …)
    • WireShark, Burp
    • procdot
  • Debugging

    • Gdb-dashboard, edb
    • WinDbg, Immunity debugger
      • Mona
    • x64dbg
  • Reverse-engineering

    • Radare2 + Cutter, Ghidra
    • Hopper, Binary Ninja
    • Ida 7.0 Freeware
    • Snowman decompiler
    • Mono Develop, ILSpy, dnSpy, de4dot
    • jd-gui, bytecodeviewer
    • Beautifier.io, onlinedisassembler.com
  • Distributions, OS

    • REMnux
    • Flare-vm

Monitoring, detection

Plenty of tools, only some examples:

  • IDS,IPS, SIEM
    • Suricata, Zeek (Bro), Snort, AlienVault OSSIM, SIEMonster, Elastic
  • Packate capture and analysis
    • Molo.ch, SiLK, Malcolm
  • Malicious traffic detection
    • Maltrail
  • Log processing and correlation
    • sec (perl)

What next?

There are many more tools, of course. We can speak more about monitoring, hardening, pentesting, auditing, … But for beginning, it is not neccessary to have everything. If you want to establish CSIRT/CERT team, start with incident handling, procedures, knowledgebase and then scale-up. Remember, quality of your feeds and knowledge of your tools is more then quantity. Don’t forget about the Context, and:

  • Focus on relevant risk
  • Increased efficiency => better security