Incident response is at the heart of what security teams do. It is a term to describe the process by which an organization will mitigate (respond to) a cyber attack (incident). Incident response teams must keep track of cyber assets, discover and patch vulnerabilities, and prioritize hundreds of daily alerts in order to protect the organization against a deluge of potential breaches. Easy, right?
Not so much.
Most security practitioners would rather get on with the work of protecting what matters, and spend less time on evaluating vendors and tools. That’s why free and open source resources are so popular in the security community - you can get started using a tool before investing in a paid version and see the impact right away.
Which incident response tools do you need?
It’s easy to get overwhelmed when trying to understand the cybersecurity tooling landscape. That’s why Sounil Yu, JupiterOne’s CISO, created The Cyber Defense Matrix. You can download a copy of the book for free, here, but if you’re already familiar with this model, you can see the tools we’ve chosen to highlight mapped out on the matrix below.
“Consider the exhibit hall at any major security conference. The cacophony of claims from vendors hawking their wares, the confusing language of their marketecture, and the lack of any semblance of organization offer us no help to understand what we need or where to find it… understanding the cybersecurity landscape [is] daunting even for the experienced practitioner.
The Cyber Defense Matrix was originally created to address this problem. It is an easy-to-memorize mental model that helps us navigate the cybersecurity grocery store to quickly find the capabilities that we need; compare and contrast features of similar products; and spot obvious gaps and deficiencies in our security posture.”
The Cyber Defense Matrix by Sounil Yu
Free or open source cybersecurity tools you can try today
JupiterOne provides continuously updated cyber asset inventory and relational context. Discover, alert, and take action on rogue or vulnerable assets such as suspicious code commits, unmanaged devices, misconfigured data stores, and risky behavior in Bitbucket and GitHub pull requests. The free tier is available for up to ten integrations.
Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
Sans Investigative Forensics Toolkit (SIFT) Workstation
The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
GRR Rapid Response
GRR Rapid Response is an incident response framework focused on remote live forensics. GRR server infrastructure consists of several components (frontends, workers, UI servers, fleetspeak) and provides a web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.
AlienVault® OSSIM™ is an open-source security information and event management (SIEM) that includes event collection, normalization, and correlation.
This popular memory forensics framework provides data on network connections, processes that are running, process IDs, and more—and exports that data to a text file. Volatility development is now supported by The Volatility Foundation, an independent 501(c) (3) non-profit organization.
TheHive Project is a free open-source IR platform that allows multiple analysts to work simultaneously on incident investigations. It gives analysts the ability to set up notifications for new task assignments and to preview new events and alerts with multiple sources, such as email digests and SIEM alerts. Built-in templates allow analysts to gain key insights and identify the right measures to take for faster remediation.
Snort is an Open Source Intrusion Prevention System (IPS). Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
Zeek is an open source network security monitoring tool. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
OSSEC is an open source Host-based Intrusion Detection System (HIDS). It integrates log analysis, file integrity monitoring, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.
OpenVAS is an open source vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
IPFire is an open source firewall solution. IPFire is built from scratch and not based on any other distribution. This allows the developers to harden IPFire better than any other server operating system and build all components specifically for use as a firewall.
Open computers and software inventory is an open source asset management solution. It allows you to scan and inventory all your devices in your IT Department. Once you know everything about your machines, on hardware and software sides, you can deploy packages to keep your environment safe.
The Alien Labs® Open Threat Exchange® (OTX™) is an open threat intelligence community. It now has more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily.
The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
Opsi (Open PC Server Integration)
Opsi is an open source client management system to manage heterogeneous environments. It enables the deployment and configuration from OS's and software on Windows and Linux computers.
Building a security program that works
At JupiterOne, we believe there are five questions at the heart of every effective incident response program: what do I have, what is important, does anything have a problem, who can fix it, and are we getting better?
To answer these questions, you need a cyber asset management platform that connects the dots across all of your assets - physical and ephemeral. This is not merely an asset inventory function; it is the core of effective incident response.
To try this approach for yourself, get started with a free JupiterOne account today. Connect your core systems for instant, near-real-time insights into your environment.