Guest blog courtesy of LimaCharlie.
For MSSPs looking to develop an incident response (IR) service offering, open-source digital forensics and incident response (DFIR) tools are an indispensable resource.
There are several reasons why this is the case:
First, though most MSSPs already have access to endpoint detection and response (EDR) technologies, they may not have the specialized digital forensics and incident analysis tools required in IR engagements. Open-source DFIR solutions are frequently of excellent quality and can be a cost-effective way to build out an incident response practice.
In addition, because these tools are both open-source and designed by and for DFIR experts, they tend to be highly customizable as well.
Finally, with a bit of engineering, multiple open-source tools can be combined to form a comprehensive, scalable incident response stack.
If you’re an MSSP attempting to build or expand your IR capabilities, here are five open-source IR solutions worth exploring:
Velociraptor
Velociraptor is a multi-function solution that can be used for endpoint monitoring, proactive threat hunting, and digital forensics. For IR work, Velociraptor shines as an artifact collection and triage acquisition tool. The Velociraptor Query Language (VQL) lets users define exactly what forensic artifacts are to be collected in an extremely fine-grained way, enabling incident responders to pull forensic evidence from endpoints including event logs, registry hives, file transfer data, web browser activity, prefetch files, PowerShell console log data, and much more.
Hayabusa
Collecting forensic artifacts is a first step in incident response scenarios*.* But making sense of all of that data—and visualizing it in a way that allows IR teams to understand precisely what happened prior to their arrival on the scene—requires additional tooling. Hayabusa helps teams parse forensic data by automatically building timelines from Windows Event Log files. Hayabusa uses its own built-in detection rules as well as Sigma rules to find events of interest in the raw log data and create a timeline of forensically interesting events in .CSV format. The resulting timeline can then be analyzed directly or in a preferred exploration tool.
Plaso
Plaso, also known as log2timeline, is another, even more comprehensive timeline generation tool. Teams can feed all manner of forensic data into Plaso and receive an extraordinarily rich and detailed timeline in return. The parsing and processing work is automatic. The only caution is that Plaso (understandably) requires some serious processing power in order to accomplish all of this. Thus, teams that want to use this tool must first ensure that they have the appropriate infrastructure in place to support the Plaso engine.
Timesketch
IR is usually a team effort, which is why collaboration tools feature prominently in the day-to-day work of incident responders. Timesketch is a tool that allows IR teams to upload timelines generated by solutions like Hayabusa and Plaso for collaborative exploration and analysis. Timesketch supports timelines stored in CSV, JSON, and Plaso formats. Once a forensic timeline is uploaded to a Timesketch server, it can be explored via OpenSearch query language or query string queries. When team members find an event of interest, they can annotate, highlight, or tag it. Pertinent timeline data can also be added to a Timesketch “story” to develop a narrative of the incident for reporting and sharing.
DFIR-IRIS
DFIR-IRIS is a free and open-source case management platform for incident responders. It was created with the goal of helping IR teams share technical details more easily during investigations but now offers a more comprehensive set of features. DFIR-IRIS can be deployed on a web server or even run on a laptop in offline mode for field operations. The platform lets responders manage cases in an organized and methodical way: adding indicators of compromise, making case notes, assigning tasks to specific team members, and providing templates for detailed reporting and documentation. DFIR-IRIS can also be extended through a system of modules and offers API access to enable automation and additional integrations with other tools.
Integrating Open-Source DFIR Tools with LimaCharlie
At LimaCharlie, we believe strongly in the value of free and open-source tools. However, we’ve also seen MSSPs struggle to integrate and manage open-source solutions when they attempt to scale their operations.
For this reason, the LimaCharlie SecOps Cloud Platform (SCP) offers a system of templates, integrations, and extensions to help MSSPs leverage open-source technologies more effectively.
By using the SCP, security practitioners can incorporate open-source components into their stack in an efficient and scalable manner—managing multiple solutions from within a single platform and abstracting heavy processing workloads for compute-intensive tools like Plaso. Best of all, the SecOps Cloud Platform makes it possible to chain together several open-source tools to create powerful, scalable, and fully automated workflows.
For a high-level overview of how this works in IR scenarios, see our webinar with Eric Capuano, DFIR specialist, SANS instructor, and LimaCharlie’s Director of Training and Product Enablement, entitled Automating Incident Response Workflows with LimaCharlie.
For a deeper technical dive into the SCP for DFIR use cases, see the documentation for our Velociraptor, Hayabusa, and Plaso extensions or explore the preconfigured DFIR Automation template in our Infrastructure-as-Code (IaC) Generator.
