How to Evaluate the Endpoint Response Tools

Started to think more formally about the incident response but not sure how to properly deal with incidents? Brian Carrier, VP Digital Forensics at Basis Technology, shares his evaluation criteria on picking the collection and analysis tools.

Three considerations to make when assessing the incident response tools:

  • Evolution based on new threats
  • Needs of your security team
  • IT Endpoint Considerations
cyber triage

Try CyberTriage Now!

Get your free evaluation copy today and enhance your incident response capability.

☑ Evolution Based on Threats

Attackers are constantly changing their techniques and looking for different ways of getting in, staying in, and hiding.  So, your triage techniques must evolve too. Consider how your tools support this.

  • If they are largely manual, then you may be responsible for bringing in new tools and techniques.
  • If the tools are automated, then find out how they stay up to date and if you can customize them if you need to look for something that it doesn’t know about.
☑ Security Team Considerations

There are no points buying tools your team doesn’t have the experience or resources to use. Have tools that your team can use and don’t bother with things that your outside help or expert teams will bring in.

If you have more than one person on your IR team, then it is important for your software to support collaboration. This prevents information and knowledge from being in only one person’s head.

An IR expert can do amazing things with manual investigation tools, but your average company won’t have an IR expert and should instead get help from automation.

Investigation Depth
Know how deep your team is expected to go. Many companies will hire outside consultants to do the deep dive, in which case you need to focus only on triage while other companies want to be able to handle everything.

If you have a SIEM or ticketing system, consider if it is important that it integrates with your triage tools. Typically, the more the automated investigation solutions will offer integration options.

It is often important for you to save the data that you collect during the triage. We recommend having a process that allows you to preserve the results, which may mean that you need to do extra steps to copy the results if the tools don’t do it for you.

☑ IT Endpoint Considerations

Now, it’s time to make sure your incident response tools are consistent with the culture of your organization.

Administrator Access
The data needed to triage a host typically requires administrative-level access. So, your options are either:

  • Have a software agent that is always running on the host as admin.
  • Run one or more collection tools that will require an administrator password to run.

If the security team does not have administrator-level access to hosts and there are not agents running, then make sure that your collection solution is easy to use by the local IT person who will likely need to do the collection.

Remote Connectivity
If you have remote offices, then also take into account what connectivity you have between the security team computers and the remote hosts. If connectivity is a challenge, consider asynchronous approaches whereby a local IT or security team member can collect data and then upload it via file share to a place that the main office can copy it from.

Comparison of Incident Response Tools

SysInternals Command Line Tools Cyber Triage Live Response Collection Kansa Volatility
Automated No Yes Partially Partially Partially
Updates Yes* Yes Yes* Yes* Yes*
Collaboration No Yes No No No
Depth Triage Triage, but can be extended. Triage Triage, but can be extended. Triage and Deep Dive
Integration No Yes No No No
Preservation Yes Yes Yes Yes Yes
Administrator Access Run time Run time Run time Run time None
Remote Connectivity Difficult, but yes. Yes Difficult, but yes. Yes None

*It is up to you to know which tools to run and what to look for to update.

Try Cyber Triage Now

When building an incident response capability, you need to take the needs of the IT and security teams into consideration. Many of the tools out there are fairly manual and are used by power users. If your company needs a basic host triage capability, then make sure it has the right levels of automation that you need.