Can DIY Incident Response Scale?

February 3, 2016

If you’ve ever purchased a house or vehicle, you may also, as many people do, have gone to the local hardware store to buy a starter kit of tools. You might not have been sure how often you’d use the tools, but you wanted at least to be prepared for basic repairs so you wouldn’t have to call in expensive specialists.

Once you started to use them though, a somewhat more complicated repair or do-it-yourself (DIY) project may have had you realizing that it would be better also to have some more specialized tools on hand, such as a table saw instead of just a hand-held saw.

Incident response software tools have a similar lifecycle. People who are responsible for their organizations’ incident response often start small by using freely available tools. They perceive that they won’t need the tools much: they believe their risk of a cyber security incident is low, and anyway, there are few commercial solutions between free and expensive, enterprise-level tools.

However, as the organization grows and the threats become more varied or more complex or you become more aware of existing problems, the DIY incident response (IR) approach eventually turns out to be more work. It may even result in missed evidence or incorrect conclusions. How can you overcome these challenges?

What is DIY IR?

First, it’s important to understand how do-it-yourself incident response came to be. Traditionally, it involves using a combination of freely available digital forensics and malware analysis tools. Using them is largely a manual process.

When responding to an incident, you need to look in a variety of places for evidence, which may require a variety of tools. Some toolkits have a dozen tools in them that are targeted at collecting a specific type of information, such as running processes, open network ports, or logged in users. Other toolkits have a small number of tools, but each needs to be run several times with different settings to collect all of the data.

To perform DIY IR, you need to be able to:

  • Merge outputs of multiple tools. If you run a dozen freely available tools to collect the data, then you’ll need to analyze a dozen outputs. Some of the outputs will duplicate each other, while others will need to be merged to get the complete picture of what has happened (and may still be happening).
  • Correlate those results. It is often easier to analyze a single system with the knowledge of what exists on other systems in the enterprise.  For example, Is a file common or not? The freely available tools focus on collecting and presenting the data from a single computer and you will need to find  a way to correlate them with other computers in your network.
  • Contextualize your results with previous data. In addition to knowing what is on other computers, it is also easier to respond to computers when you know what was on it before.  This allows you to focus on what is different.  The freely available tools focus on collecting and presenting only the current state of the system and do not store what was on it before.

Bonus: you may want to be able to perform additional functions such as GeoIP mapping indicators, comparing results to data in a reputation database, etc. for additional context and insight.

Why would anyone want to DIY IR?

Once you understand how DIY IR is possible, the next logical question is why anyone would want to commit that level of work. The answer is twofold:

  1. People who are learning incident response for themselves often rely on vendor neutral courses, books, and blogs that commonly teach the DIY method. In turn, those resources stress process and the ability to understand where and how the user got their results. This paves the way for a properly identified, contained, and remediated incident.
  2. More pragmatically, compared to outsourcing, DIY incident response can appear inexpensive. This can be attractive to incident response team members (and their bosses) who have a basic IR plan but lack budget or resources that are mature enough to invest in a solution that includes incident response with network operations and security.

Either way, these practitioners may see their set of free tools as something that will be easy to use to piece together the facts of an incident each time it happens — a couple of times a month, if that, or to help cut down on a high rate of false positives.

Challenges of DIY IR

As time passes, however, the less the DIY approach holds together. It becomes necessary for responders to remember all of the tools and how to use each of them to best effect. Because many free tools were built by experts for experts, they may not be the easiest to use; for example, it can be easy to forget what command line arguments to give them. This can be tedious for teams that don’t respond regularly to incidents, an unnecessarily time-consuming process at the very time when speed and agility are critical to obtaining actionable decisions.

To make matters more challenging, DIY tools don’t provide context of previous incidents or other hosts in same incident, nor do they generally support the ability to collect data from multiple hosts at the same time. Not only must responders manually review results for suspicious files, connections, tasks, and user activity; they must also analyze each host in isolation, without the immediate context of analyzed data from previous hosts.

The two challenges together make for an error prone process, as manual review without context can lead analysts — especially those with less experience — to draw the wrong conclusions or miss important indicators.

The solution: automated triage

As you may have experienced for yourself, few DIY home or vehicle owners end up committing time and energy to learning professional carpentry, plumbing, or mechanical skills. Instead, you take a more practical approach, choosing to triage repairs: to identify problems, fix the ones you can, and call in experts when it becomes clear you’re in over your head with heavily damaged infrastructure.

As a cyber incident responder, you’d likewise want to invest in purpose-made tools that enable you to respond more professionally without needing to hire consultants for every little problem, or to deploy an infrastructure that may be too large and unwieldy for your organization. Cyber Triage is one tool that enables you to use contextual data to decide how to respond to each incident.

Using Cyber Triage, you can respond at scale, obtaining and fusing different data types from a range of computers without much effort. Contextualize indicators both historically and in the present by merging multiple tools’ outputs for a fuller picture of what’s going on. Then, correlate your results, showing different systems’ (and indicators’) relationship to one another as well as to larger geoIP and reputation trends.

Cyber Triage is built for the DIY incident responder who seeks to save time and energy, yet still wants to be able to communicate effective results to their leadership or to expert forensic incident response teams. Contact us for a demo of how you can put it to work for your organization.


photo credit: Jo’s new best friend: an electric screwdriver via photopin (license)