INCIDENT RESPONSE RESOURCES

…for organizations with modest resources

IR STEPS & LINKS
PREPARATION
  • IR Plans
    • NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
    • Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
    • Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
    • Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
    • The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
    • Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/
  • Asset Management
    • Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html
    • Open-AudIT, https://www.open-audit.org/
    • PDQ Inventory, https://www.pdq.com
    • Spiceworks https://www.spiceworks.com/free-asset-management-software/
    • SysAid, https://www.capterra.com/p/107225/SysAid/
  • Out Of Bounds Communications
    • Secure Email
      • CounterMail, https://countermail.com/
      • Hushmail, https://www.hushmail.com/
      • ProtonMail, https://protonmail.com/
      • Mailfence, https://mailfence.com/
    • Teleconferencing
      • Google Hangouts, https://hangouts.google.com/
      • Zoom, https://zoom.us
      • Uber Conference, https://www.uberconference.com/
    • Texting
      • WhatsApp
      • Line
      • Signal
      • Viber
    • Ticketing
      • The Hive Project ,https://thehive-project.org/
      • Snipe-IT, https://snipeitapp.com/
      • Spiceworks, https://www.spiceworks.com/free-asset-management-software/
    • Use Cases
      • 2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/
      • Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf
      • Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/
      • Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/
    • Testing
      • Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
      • Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
    • Training
      • National CyberSecurity Awareness Month (NSCAM)
        • Stay Safe Online, https://staysafeonline.org/ncsam/
        • DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources
      • Cybrary, https://www.cybrary.it/
      • ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn
      • SANS Cyber Aces, https://www.cyberaces.org/
      • TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/
      • Open Security Training, http://opensecuritytraining.info/Training.html
      • Open Cyber Challenge Platform, https://opencyberchallenge.net/
    • Checklists
      • Incident Response Jumpkit Checklist
      • Critical Log Review Checklist for Security Incidents
    • Cheat Sheets
      • DDOS incident cheat sheet
      • Security-incident-questionnaire-cheat-sheet
      • Security-incident-survey-cheat-sheet
    • Forms
      • Incident Response Reporting Form
      • IR Chain of Evidence
IDENTIFICATION
  • Threat Intelligence
    • Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence
    • Cisco Talos, https://www.talosintelligence.com/
    • HoneyDB, https://riskdiscovery.com/honeydb/
    • Malware Domains, http://www.malwaredomains.com/
    • Talos Aspis, https://www.talosintelligence.com/aspis/
    • io, https://threatfeeds.io
  • Honeypots
    • GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots
    • Honeyd, http://www.honeyd.org/
    • Valhala https://sourceforge.net/projects/valhalahoneypot/
    • HoneyTrap https://github.com/honeytrap/honeytrap
  • SEIM
    • Open Source SIEM, https://www.alienvault.com/products/ossim
    • OSSSEC, https://ossec.github.io/
    • Securicata, https://suricata-ids.org/
    • Security Onion, https://securityonion.net/
    • SNORT, https://www.snort.org/
    • Notebooks
    • Post-It Easel Pads, (~$30)
    • Rocketbook Everlast Reusable Smart Notebook, (~$30)
  • Network Monitoring
    • Cacti, https://www.cacti.net/index.php
    • Icinga 2, https://icinga.com/products/icinga-2/
    • Nagios Core, https://www.nagios.org/projects/nagios-core/
    • Prometheus, https://prometheus.io/
  • Logs
    • Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/
    • Flutentd, https://www.fluentd.org/
    • Greylog, https://github.com/Graylog2/graylog2-server
    • LOGalyze, http://www.logalyze.com/
    • Logstash, https://www.elastic.co/products/logstash
    • LogWatch, https://logpacker.com/
    • Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server
  • NTP
    • Google Public NTP, https://developers.google.com/time/
    • NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi
    • NTP Pool Project, https://www.pool.ntp.org/zone/us
    • Time Tools, https://timetoolsltd.com/information/public-ntp-server/
    • US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/
  • Vulnerability Scanner
    • Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload
    • Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/
    • OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/
    • OWASP ZAP, https://www.owasp.org/index.php/OWASP Zed Attack Proxy Project
  • Forensics
    • CentralOps, https://centralops.net/co/
    • Google, https://google.com
    • HPING, hping.org/
    • Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php
    • MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx
    • Masscan, https://github.com/robertdavidgraham/masscan
    • Nmap, https://nmap.org/
    • Open Source Intelligence (OSINT) Framework; https://osintframework.com/
    • SHODAN, https://www.shodan.io/
    • VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ
    • Wireshark, https://www.wireshark.org/
CONTAINMENT
  • Playbooks
    • How to build an incident response playbook, Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/
    • The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN
    • Incident Response Consortium, https://www.incidentresponse.com/playbooks/
    • MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr 14-3929-cyber-exercise-playbook.pdf
  • CLI
    • ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68
    • Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/
  • VM
    • Virtual Box, https://www.virtualbox.org/
    • VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm
  • Forensics
    • any.run, https://app.any.run/
    • CAINE http://www.caine-live.net/
    • Cuckoo Sandbox, https://cuckoosandbox.org/
    • Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
    • FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1
    • Ghidra, https://www.nsa.gov/resources/everyone/ghidra/
    • Hybrid Analysis, https://www.hybrid-analysis.com/
    • Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html
    • Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/
    • REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE
    • SANS SIFT https://digital-forensics.sans.org/community/downloads/
    • The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/
    • Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/
  • Evidence Handling
    • Working Group on Digital Evidence, https://swgde.org/
  • Patch Management
    • ConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/
    • PDQ Deploy ($), https://www.pdq.com
    • DNS Sinkholes
    • Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes
ERADICATION
  • Bootable ISOs (USB or DVD)
    • BItDefender, http://download.bitdefender.com/rescue cd/latest/
    • GMER, http://www.gmer.net/
    • Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install
    • Trend Micro RescueDisk, https://www.trendmicro.com/en us/forHome/products/free-tools/rescue-disk.html
  • Anti-Virus
    • Armadito Antivirus, https://armadito.com/
    • Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html
    • Barkly (AlertLogic [$$]), https://www.alertlogic.com/
    • Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html
    • ClamAV, http://www.clamwin.com/
    • ClamWIn, http://www.clamwin.com/
    • Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download
    • Open Antivirus Project, http://www.openantivirus.org/index.php
RECOVERY
  • Business Impact Analysis
    • https://www.ready.gov/business-impact-analysis
  • Disaster Recovery Plan
    • https://www.ready.gov/business/implementation/IT
    • https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/
    • https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx
    • https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white paper c11-453495.pdf
  • Business Continuity Plan
    • https://www.ready.gov/business/implementation/continuity
    • https://mema.maryland.gov/Documents/FEMA Small Business Continuity Plan Template.docx
    • https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx
  • Data Backup & Recovery
    • Acronis (BMR ($$)), https://www.acronis.com
    • BorgBackup, https://www.borgbackup.org/
    • UrBackup, https://www.urbackup.org/
    • Unitrends ($$$), https://www.unitrends.com/
    • Veeam, https://www.veeam.com/
LESSONS LEARNED
  • 6 Phases In The Incident Response Plan, David Ellis.
    https://www.securitymetrics.com/blog/6-phases-incident-response-plan
  • CornerThought ($?), https://www.lessonslearnedsolutions.com/
  • LessonFlow ($?), https://www.lessonslearnedsolutions.com/
BOOKS
  • Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756
  • Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896
  • The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361
  • The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009
  • The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509

 

  • Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN:  978-1597499965
  • Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405
  • Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691
  • Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944
  • Security Operations Center – SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011
  • The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099

 

  • CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/

contact us