Open Source and Free Tools for Incident Response Teams

LIFARS Incident and Response team uses multiple tools when responding to and investigating incidents. For new and upcoming enthusiasts and teams, we have prepared a list of such tools. The motivation behind this list is to help new teams prepare and strengthen their technical equipment needed for incident response with minimal costs. Our list of Open source and Free(ware) tools, can have caveats with the need for tinkering or adjustment, however, these tools are great resources for building up your team and knowledge with minimal costs. Our list of tools covers team cooperation, Incident handling/response, Infoshare, Forensics, Malware Analysis, and Monitoring/detection.

Team Cooperation: 

Before the incident happens, it is important to establish team communication channels and cooperation methods. Examples of tools:

• E-Mails, calendars, contacts
• Postfix, Dovecot
• Roundcube, RainLoop
• ThunderBird
• iRedMail, Zimbra
• GPG – Kleopatra (yes, please encrypt at least your important emails containing sensitive information like PII or financial data)

    Team chat:

• chat
• Mattermost

   Collaborative documents (notepads)

• Etherpad

   Wiki & Docs

• MediaWiki, DokuWiki
• MkDocs

   Project and task management

• OpenProject
• Wekan
• Kanboard

   Secure access

• 2FA
• SSL/TLS client certificates – only authorized persons can access the interface (mitigation for exploiting unknown vulnerabilities in their interfaces)

   Secure messaging, (group)calls, video, screen sharing

• Signal, Telegram, Wire… but no one-fits-all

Incident handling, response, Infoshare

An Incident happened, what now? How to resolve and handle it? Start with ticketing and collecting information about it, triage, correlation with other known events and incidents in your constituency and with infosharing with other teams. Integrations between these tools and automatization of the tasks are important to save analysts time and allow them to focus on the main objectives of analysis instead of the collecting and researching pieces of (maybe relevant) information.

    Ticketing system – with support of mails, calls, notes, customers, stats,…

• RTIR, OTRS
• Redmine

    Incident management, collaboration

• TheHive project
• Demisto Free Community Edition

    Monitoring and analysis of vulnerabilities, news, advisories

• Taranis3 by NCSC-NL

    IoC (Indicators of Compromise) sharing and malware detection

• MISP (Malware Information Sharing Platform)
• IoC Checker by CSIRT.SK
• OpenIOC

    OpenSource Intelligence and Recon

• GeoIP tools, WhoIS, passive DNS
• VirusTotal, Google Safe Browsing, urlscan.io, urlhaus
• Google Dorks (GHDB)
• Shodan, Censys, (nmap)
• Maltego CE
• TorBrowser, VPN, Proxy – hide your identity, access resources from various geolocations, check the difference

    Feeds collecting and processing

• IntelMQ, Warden

    Threat Intelligence

• RiskIQ, OpenCTI, MISP
• ThreatMiner, ThreatConnect
• ??Relevant Feeds??
• RecordedFuture CyberDaily mailinglist

Forensics

Evidence acquisition and collection, forensics investigation and analysis.

    Live Forensics and Incident Response

• SysInternals Suite (ProcExp, Autoruns, Sysmon), Nirsoft utilities
• CLI tools
• debsums

    Image acquisition and mounting

• dcfldd, dc3dd, FTK Imager Lite
• Affuse, winregfs

    Log and filesystem processing

• Photorec, recuva, diskdigger, scalpel
• Lynis, ClamAV (and others AVs), chkrootkit, rkhunter
• Log2Timeline + grep, sed, awk, perl, python + LibreOffice Calc (or Excel)
• Log Parser Lizard
• (autopsy), apache-scalp, ELK (Elastic+LogStash+Kibana)

   Memory acquisition

• FTK Imager Lite, winpmem, LIME

   Memory analysis

• Rekall, volatility
• profiles

   Endpoint analysis

• Google Rapid Response (Rekall included)

   Linux distributions

• CAINE Live
• Kali
• SIFT Workstation

Malware analysis

During the incident response and forensics analysis, there are often found malicious artifacts (or at least suspicious artifacts). Now is time for malware analysts and their tools of choice. Remember, integrations and automatization are our friends.

    Online services

• Repos and DB
  • VirusTotal, VirusShare
• Sandboxes
  • Hybrid-analysis, Any.Run
• Classification
  • Intezer, NoDistribute

   Offline services

• Repos and DB
  • viper
• Sandboxes
  • Cuckoo
• Classification
  • (IRMA), Malice, VirusChecker by CSIRT.SK

    Static analysis

• PE Tools, oletools
• PEStudio, Resource hacker
• Strings (also strings –e l)
• Bytehist, densityscout
• CyberChef, xortool
• Didier Stevens Suite
• Hiew Demo
• Far Manager + plugins
• Binvis.io

    Behavioral analysis

• VirtualBox, Qemu
  • “Free” windows: ReactOS, modern.ie
• inetsim, dnsmasq, FakeNet-NG
• SysInternals (procmon, sysmon)
• NirSoft (NetworkTrafficView, …)
• WireShark, Burp
• procdot

    Debugging

• Gdb-dashboard, edb
• WinDbg, Immunity debugger
  • Mona
• x64dbg

    Reverse-engineering

• Radare2 + Cutter, Ghidra
• Hopper, Binary Ninja
• Ida 7.0 Freeware
• Snowman decompiler
• Mono Develop, ILSpy, dnSpy, de4dot
• jd-gui, bytecodeviewer
• Beautifier.io, onlinedisassembler.com

    Distributions, OS

• REMnux
• Flare-vm

Monitoring, detection

Plenty of tools, only some examples:

    IDS, IPS, SIEM

• Suricata, Zeek (Bro), Snort, AlienVault OSSIM, SIEMonster, Elastic

   Packet capture and analysis

• Molo.ch, SiLK, Malcolm

   Malicious traffic detection

• Maltrail

   Log processing and correlation

• sec (perl)

What next?

There are many more tools, of course. We can speak more about monitoring, hardening, pentesting, auditing, … But for the beginning, it is not necessary to have everything. If you want to establish CSIRT/CERT team, start with incident handling, procedures, knowledgebase and then scale-up. Remember, the quality of your feeds and knowledge of your tools is more than quantity. Don’t forget about the Context, and:

• Focus on relevant risk
• Increased efficiency => better security

 

 

Contact LIFARS Today 

For Incident Response Services