LIFARS Incident and Response team uses multiple tools when responding to and investigating incidents. For new and upcoming enthusiasts and teams, we have prepared a list of such tools. The motivation behind this list is to help new teams prepare and strengthen their technical equipment needed for incident response with minimal costs. Our list of Open source and Free(ware) tools, can have caveats with the need for tinkering or adjustment, however, these tools are great resources for building up your team and knowledge with minimal costs. Our list of tools covers team cooperation, Incident handling/response, Infoshare, Forensics, Malware Analysis, and Monitoring/detection.
Team Cooperation:
Before the incident happens, it is important to establish team communication channels and cooperation methods. Examples of tools:
- E-Mails, calendars, contacts
- Postfix, Dovecot
- Roundcube, RainLoop
- ThunderBird
- iRedMail, Zimbra
- GPG – Kleopatra (yes, please encrypt at least your important emails containing sensitive information like PII or financial data)
Team chat:
- chat
- Mattermost
Collaborative documents (notepads)
- Etherpad
Wiki & Docs
- MediaWiki, DokuWiki
- MkDocs
Project and task management
- OpenProject
- Wekan
- Kanboard
Secure access
- 2FA
- SSL/TLS client certificates – only authorized persons can access the interface (mitigation for exploiting unknown vulnerabilities in their interfaces)
Secure messaging, (group)calls, video, screen sharing
- Signal, Telegram, Wire… but no one-fits-all
Incident handling, response, Infoshare
An Incident happened, what now? How to resolve and handle it? Start with ticketing and collecting information about it, triage, correlation with other known events and incidents in your constituency and with infosharing with other teams. Integrations between these tools and automatization of the tasks are important to save analysts time and allow them to focus on the main objectives of analysis instead of the collecting and researching pieces of (maybe relevant) information.
Ticketing system – with support of mails, calls, notes, customers, stats,…
- RTIR, OTRS
- Redmine
Incident management, collaboration
- TheHive project
- Demisto Free Community Edition
Monitoring and analysis of vulnerabilities, news, advisories
- Taranis3 by NCSC-NL
IoC (Indicators of Compromise) sharing and malware detection
- MISP (Malware Information Sharing Platform)
- IoC Checker by CSIRT.SK
- OpenIOC
OpenSource Intelligence and Recon
- GeoIP tools, WhoIS, passive DNS
- VirusTotal, Google Safe Browsing, urlscan.io, urlhaus
- Google Dorks (GHDB)
- Shodan, Censys, (nmap)
- Maltego CE
- TorBrowser, VPN, Proxy – hide your identity, access resources from various geolocations, check the difference
Feeds collecting and processing
- IntelMQ, Warden
Threat Intelligence
- RiskIQ, OpenCTI, MISP
- ThreatMiner, ThreatConnect
- ??Relevant Feeds??
- RecordedFuture CyberDaily mailinglist
Forensics
Evidence acquisition and collection, forensics investigation and analysis.
Live Forensics and Incident Response
- SysInternals Suite (ProcExp, Autoruns, Sysmon), Nirsoft utilities
- CLI tools
- debsums
Image acquisition and mounting
- dcfldd, dc3dd, FTK Imager Lite
- Affuse, winregfs
Log and filesystem processing
- Photorec, recuva, diskdigger, scalpel
- Lynis, ClamAV (and others AVs), chkrootkit, rkhunter
- Log2Timeline + grep, sed, awk, perl, python + LibreOffice Calc (or Excel)
- Log Parser Lizard
- (autopsy), apache-scalp, ELK (Elastic+LogStash+Kibana)
Memory acquisition
- FTK Imager Lite, winpmem, LIME
Memory analysis
- Rekall, volatility
- profiles
Endpoint analysis
- Google Rapid Response (Rekall included)
Linux distributions
- CAINE Live
- Kali
- SIFT Workstation
Malware analysis
During the incident response and forensics analysis, there are often found malicious artifacts (or at least suspicious artifacts). Now is time for malware analysts and their tools of choice. Remember, integrations and automatization are our friends.
Online services
- Repos and DB
- VirusTotal, VirusShare
- Sandboxes
- Hybrid-analysis, Any.Run
- Classification
- Intezer, NoDistribute
Offline services
- Repos and DB
- viper
- Sandboxes
- Cuckoo
- Classification
- (IRMA), Malice, VirusChecker by CSIRT.SK
Static analysis
- PE Tools, oletools
- PEStudio, Resource hacker
- Strings (also strings –e l)
- Bytehist, densityscout
- CyberChef, xortool
- Didier Stevens Suite
- Hiew Demo
- Far Manager + plugins
- Binvis.io
Behavioral analysis
- VirtualBox, Qemu
- “Free” windows: ReactOS, modern.ie
- inetsim, dnsmasq, FakeNet-NG
- SysInternals (procmon, sysmon)
- NirSoft (NetworkTrafficView, …)
- WireShark, Burp
- procdot
Debugging
- Gdb-dashboard, edb
- WinDbg, Immunity debugger
- Mona
- x64dbg
Reverse-engineering
- Radare2 + Cutter, Ghidra
- Hopper, Binary Ninja
- Ida 7.0 Freeware
- Snowman decompiler
- Mono Develop, ILSpy, dnSpy, de4dot
- jd-gui, bytecodeviewer
- Beautifier.io, onlinedisassembler.com
Distributions, OS
- REMnux
- Flare-vm
Monitoring, detection
Plenty of tools, only some examples:
IDS, IPS, SIEM
- Suricata, Zeek (Bro), Snort, AlienVault OSSIM, SIEMonster, Elastic
Packet capture and analysis
- Molo.ch, SiLK, Malcolm
Malicious traffic detection
- Maltrail
Log processing and correlation
- sec (perl)
What next?
There are many more tools, of course. We can speak more about monitoring, hardening, pentesting, auditing, … But for the beginning, it is not necessary to have everything. If you want to establish CSIRT/CERT team, start with incident handling, procedures, knowledgebase and then scale-up. Remember, the quality of your feeds and knowledge of your tools is more than quantity. Don’t forget about the Context, and:
- Focus on relevant risk
- Increased efficiency => better security
Contact LIFARS Today
For Incident Response Services