Automated & Open Source Incident Response Tools

Posted by alvina on August 27th, 2018

With many platforms become worn down from growing cyber threats, it can be difficult for humans to respond quickly and deal with these problems. Because of this worn outpace, many security providers are heavily understaffed. But don’t worry as automation has slowly been on the rise and provides a variety of perks.

Below we’ll be looking at three automated tools that help in responding on time and getting the job done!

Incident Response Tools: ClimSweep

ClimSweep is a CIM/WMI-based incident response tool that allows analysts to do incident responses along with threat hunting remotely. Not only that, but it also allows analysts to gather vital data like registry keys, event logs, processes, and more. ClimSweep is unique as it allows users to write out and place domain-specific functions in place in order to collect data from the attacker. This data could be things like files that are malicious, registry keys that are bad or any kind of suspicious behavior. It’s an all-around great tool in being able to extract valuable data.

Incident Response Orchestration Tool: TheHive

One thing is certain about cybersecurity and investigating attacks is that there is teamwork. Or at the very least working in teams helps a lot in improving the quality of information included in theincident response. Those that created TheHive had this in mind allowing people to put together a detailed analysis together to create quality and time-efficient investigations.

How it all works is that each investigation is then broken into one or more tasks. These tasks are then claimed by those in the team and are then performed. This allows multiple people to investigate problems at the same time, making the search easier. What’s also great is that TheHive has access to the Python API client. What’s great about this is that members of the team can send alerts from different sources like a SIEM or an email.

A Tool To Fill Your Incident Response Needs: MIG

Mozilla’s MIG is the last automated and open source tool we want to discuss. This is an agent-based investigation platform which allows users to conduct real-time queries as well as investigations. Specifically, you can investigate endpoints. The reason this is key is that this particular program returns endpoint data in seconds which you can then use for either filing, storing it in the network or perform a memory inspection. What’s also interesting about this tool is that this can also be done through Linux as well.

At the core of MIG is privacy. It’s a core value and you’ll see it when you are doing orchestration of this tool. What this means is that there is no raw data that’s returned at the end of a query. Instead, you’ll be given the answers to those specific questions that you ask.