Collective Intelligence : Incident Response ToolKit

Todays world is full of So called Hackers and then impacts of their so called Crackers which sometimes fire in Rush and result into Wiping out Millions of Data in a matter of a brush. World has seen what Ransomware Outbreak whether it stayed only for one day like Wannacry on 12th May 17 or NotPetya Ourbreak on 27th June 17, the outcome was a Dangerous. Lots of corporate devices corrupted caused Companies to pour out millions to build the same infrastructure.

FedEx says financial drain from cyber attack to linger through 2018 :  FedEx joins a string of companies that reported big drops in earnings because of the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices.

Maersk Posts Surprise Loss, Warns of Cyberattack Impact : Maersk warned that the cyberattack, which hit companies across the world in the last week of the quarter, would cost it between $200 million and $300 million. The company will register the hit in the third quarter, with the impact on second-quarter results minimal.

So during any outbreak Incident Management and Handling plays a key role to Analyze, Minimize and Nullfy the impact which can save Millions of Loss to the organisations during critical time. We will try to correlate and gather collective intelligence for certain incident response toolsets in this section.

    • According to Wikipedia, Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.
    • An incident is an event that could lead to loss of, or disruption to, an organization’s operations, services or functions.
    • If not managed an incident can escalate into an emergency, crisis or a disaster.
    • Incident management is therefore the process of limiting the potential disruption caused by such an event, followed by a return to business as usual.
    • An incident response team or emergency response team (ERT) is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations.
    • Incident response teams are common in public service organizations as well as in Corporate organizations.

Incident Response Toolkit Collective Intelligence


  1.   GRR Rapid Response:                                                                                                                                                          One of the Google’s innovation, It is an incident response framework focused on remote live forensics. GRR is a python agent (client) that is installed on target systems, and python server infrastructure that can manage and talk to the agent.
    •  Client Features:
      • Cross-platform support for Linux, OS X and Windows clients.
      • Live remote memory analysis using open source memory drivers for Linux, OS X and Windows via the Rekall memory analysis framework.
      • Powerful search and download capabilities for files and the Windows registry.
      • Secure communication infrastructure designed for Internet deployment.
      • Client automatic update support.
      • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
    •  Server Features:
      • OS-level and raw file system access, using the SleuthKit (TSK).
      • Enterprise hunting (searching across a fleet of machines) support.
      • Fully scalable back-end to handle very large deployments.
      • Automated scheduling for recurring tasks.
      • Fast and simple collection of hundreds of digital forensic artifacts.
      • Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
      • Basic reporting infrastructure.
    •   Github Repository can be found here
    •   Video Demonstration: Basic Tutorial                                                                                                           

       

    •   Blackhat Talk : GRR: Find All the Badness, Collect All the Things                                                                                  

       

  2.   nightHawk                                                                                                                                                                            The nightHawk Response Platform is an application built for asynchronous forensic data presentation using ElasticSearch as the backend. It’s designed to ingest Redline collections.
  3.    Belkasoft Evidence Center :                                                                                                                                                  The toolkit will quickly extract digital evidence from multiple sources by analyzing
    • Hard drives
    • Drive images
    • Memory dumps
    • iOS, Blackberry and Android backups,
    • UFED, JTAG and chip-off dumps
    • Video Demonstration:

       

  4. Redline FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

        Features : 

    • Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
    • Analyze and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
    • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
    • Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review
    • Video Demonstration 1 : SANS DFIR Webcast – Memory Forensics for Incident Response                                     
    • Video Demonstration 2 :Using Mandiant Redline to discover Meterpreter process injection                               

       

  5. MIG: Mozilla InvestiGator :                                                                                                                                                   MIG is Mozilla’s platform for investigative surgery of remote endpoints.MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.
    • Use Case : Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application.
    • The vuln is already exploited and security groups are releasing indicators of compromise (IOCs).
    • With MIG ,the signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you’re not at risk.
    • Github Repository can be Found here:
    • Video Demonstration 1 : Mozilla Investigator presentation                                                                                              

            

    • Video Demonstration 2 : MIG: Mozilla’s Distributed Platform for Real-Time Forensics of Endpoints – SANS DFIR Summit 2015                                                                                                                                                              

       

  6.  X-Ways Forensics: Integrated Computer Forensics Software :                                                                                           X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis
    • Features :
      • Disk cloning and imaging
      • Ability to analyze remote computers in conjunction with F-Response
      • Ability to read partitioning and file system structures inside raw (.dd) image files, ISO, VHD and VMDK images
      • Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors) with sector sizes up to 8 KB
      • Automatic identification of lost/deleted partitions
      • Native support for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3®, CDFS/ISO9660/Joliet, UDF
      • Superimposition of sectors, e.g. with corrected partition tables or file system data structures to parse file systems completely despite data corruption, without altering the original disk or image
      • Access to logical memory of running processes
      • Various data recovery techniques, lightning fast and powerful file carving
      • Easy detection of and access to NTFS alternate data streams (ADS)
      • Mass hash calculation for files (Adler32, CRC32, MD4, ed2k, MD5, SHA-1, SHA-256, RipeMD-128, RipeMD-160, Tiger-128, Tiger-16, Tiger-192, TigerTree, …)
      • Runs under Windows FE, the forensically sound bootable Windows environment, e.g. for triage/preview, with limitations
    • Video Demonstration and Tutorial by X-Way Team can be found here :
    • X-Ways Forensics Quick Start Guides 
  7. SIFT Workstation :                                                                                                                                                                    A key tool during incident response helping incident responders identify and contain advanced threat groups. The SIFT, provides the ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed


 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: