Ransomware Preparation Guide
If you are concerned about ransomware harming your organization, we have put together a detailed checklist of actions that your organization should take to ensure that you are properly protected. While cyber-attacks are becoming more sophisticated, most ransomware attacks are propagated by rudimentary methodologies and can be easily thwarted. Please read on for more tips on how to bolster your organizations defenses.
Conduct a detailed inventory of your information technology assets: If your organization does not have an accurate inventory of hardware and software, protecting such assets is a challenge that cannot be adequately accomplished. Your hardware inventory should include hardware issued to staff members, laptops, MacBooks, servers, network components, firewalls, proxies, and more. The software inventory should include any software that is used within your organization and what the legitimate business purpose is for the software being leveraged. If there is no legitimate business requirement that has been pre-approved, you should have the software immediately removed. A software and hardware inventory that lists all of the critical business assets that are approved by your organization for use is essential in controlling technology sprawl and protecting your environment. The Center for Internet Security (CIS) has a great template to get you started here: https://www.cisecurity.org/white-papers/cis-hardware-and-software-asset-tracking-spreadsheet/
Legitimate software that is required for business purposes should be assessed from a security standpoint: Even software that is on the Gartner Magic Quadrant and is trusted by thousands of businesses can destroy your business. At the end of the day, software vendors are just companies and they make mistakes. SolarWinds, Kaseya, and many other reputable software vendors have been compromised in recent months and this trend will continue. Ensure that legitimate software is monitored for suspicious activity. Less is more and if your organization is not actively using the software in question, remove it. If suspicious activity is detected on legitimate software within your organization, ensure that swift action is taken on the findings. Your organization should have a prepared methodology to remove or shut down specific software if you determine or suspect that it is compromised. If you'd like to see the damage done by compromised legitimate software, look no further than here: https://www.zdnet.com/article/kaseya-ransomware-attack-what-we-know-now/
Update, Patch, Fix, Repeat: If you are skipping patching systems, you are making a mistake that cyber-attackers salivate over. Keeping software, hardware, and firmware up-to-date is imperative to creating a strong security fabric. Those systems that "cannot be patched because they will break" is no longer a valid excuse. This is a typical mistake of organizations in skipping patching on systems for months or even years due to the fear of service outages from system fixes. Security patches are created for a purpose and your organization cannot and should not afford to ignore them. Make system patching a priority for IT teams. If executive support is not present within the security patching space, this is also an area for improvement. Ensure that patches are deployed on a regular basis, following a pre-set cadence to include all systems. This means desktops, laptops, firewalls, switches, routers, web applications, servers, firmware, and underlying third party software on systems. If you are looking for some basic explanations on patching, the Cybersecurity and Infrastructure Security Agency has a good breakdown of just that here: https://us-cert.cisa.gov/ncas/tips/ST04-006
If everyone is an administrator, everybody is a critical threat: Making it easy for users to install software at-will and without delay has been one of the single greatest mistakes that has led organizations to DEFCON 1. ENSURE THAT ADMINISTRATIVE ACCESS AND PRIVILEGES ARE LIMITED TO A SMALL GROUP OF PEOPLE and audit such permissions frequently. Users may need software installed quickly, so this is something to map accordingly. Extended wait times to install software while users wait for a short-handed IT team can be frustrating, so ensure that there is a process implemented to determine levels of criticality for software requests. Watch out for rouge administrative accounts and local administrative accounts as well. Utilizing products such as Microsoft Local Administrator Password Solution (LAPS) is a great way to significantly limit your exposure. It is free and can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=46899. Following the least privilege model shouldn't stop at installing software on systems. Your organization should be conducting regular assessments on critical data and who maintains access to such systems and data. If you have a large file share, in which any directory is accessible by anyone in your organization, you have a problem that needs to be remediated quickly. Give users access to only what they need to perform their job duties and remove any excessive permissions. Beyond the threat of ransomware, this is just good practice.
Backup and Recovery: If you cannot bring your critical business systems and data back from protected backups, this is a monumental issue. With the plethora of backup and recovery solutions on the market today, there are no excuses as to why organizations are left without recovery solutions when their organization's data has been locked by ransomware. Before you choose a technological solution for your backups, you must perform an assessment of what your organization needs to backup, how often, where, who must manage it, and how fast you have to recover to avoid business disruptions. A fatal mistake that organizations commonly make is spending wildly on data backup solutions without going through a proper planning phase to determine these paramount items. Once you have conducted a thorough assessment and created your backup strategy, choose the solution that fits your needs. Cloud-based, local onsite, tape, and other solutions exist and eagerly await your acquisition of them. Ensure that the backup solution(s) are implemented correctly, cover your critical assets, are regularly tested, and are protected from lateral threats once an attack occurs. You should be able to rest easy at night, trusting that your hardened backup strategy is there as your safety net when all else fails.
By default, your systems and software are built for ease of access, not security: New software and hardware does not equate to secure by default. There is a common misconception that out-of-the-box software and hardware is hardened from a security best practices standpoint. This is simply not true in the majority of cases. Vendors create software and hardware to work for your business and facilitate operations for you. If vendors locked their solutions down, you may not be able to install them so easily. Therefore, it is critical to harden the software and hardware that your organization depends on. In this category, there are many FREE resources that your organization can begin implementing today. The Center for Internet Security (CIS) holds a vast library of such hardening best practices and images that you can implement. They can be found here: https://www.cisecurity.org/cis-hardened-images. There are many other sources that you can leverage to harden your defenses and turn your commercial off-the-shelf products into strong components of your overall security program.
Audit your vendors and suppliers: Many attacks on businesses do not originate from within the organization itself, but rather within a trusted business partner, vendor, or supplier. The security practices of such business counterparts can be either an asset to your security or a liability. Ensure that you are assessing where your vendors and suppliers stand on security regularly. There are many assessments that you can send out today to determine what the levels of risk are within such partners and if you need to place them in a higher or lower risk category. Examples of these include managed service providers, telephony vendors, and outsourced agents. They may have access to your company systems and data, but may not follow any form of security best practices. It is your fiduciary responsibility to determine what level of risk these organizations pose to your business and respond accordingly. Some organizations are shocked to learn about the lack of security practices implemented by trusted vendors and suppliers. Do not leave this area to chance. Assess vendors, suppliers, and business associates regularly, assign risk levels, and determine appropriate action when risks are identified. Another golden rule is to never allow a third party to maintain unmanaged and/or unmonitored access into your environment or data. There are many free templates for vendor risk questionnaires, or many paid platforms that you can utilize in facilitating a vendor risk assessment program from within your organization.
An untrained staff is a critical business risk: OSHA training is mandatory for many organizations, so why shouldn't security training be mandatory as well? For many organizations, such security training is becoming mandatory as per federal, international, state, or industry-specific regulations. However, there is still a large gap in which security training is not required and organizations are missing a keystone of their security program. Training staff should be recurring and interactive. The annual PDF that is sent to all personnel is only scratching the surface. Your organization should seek to either create an internal security awareness training program or seek a vendor that can facilitate this initiative. Knowbe4, Wombat, and MimeCast are solid choices if your organization is looking to spend some $$$. However, we have seen internally-created security awareness training programs that are equally effective at a fraction of the cost. There are even free training options to get your organization started, such as Wizer. That training can be found here: https://www.wizer-training.com/. While there is a free option available, they also have paid options that are in-depth and tailored to your organization.
Strong passwords and multifactor authentication everywhere: Cloud, workstations, laptops, local servers, cloud-based email, smartphones, tablets, online payroll system, corporate banking, invoicing, accounting systems, cloud data backup systems. If you can think of a solution that your business utilizes, it should be secured with multifactor authentication. Having a strong password policy within your organization is critical. However, it is simply not enough. Guidance on strong password policies can be found at the National Institute for Standards and Technology (NIST) here: https://pages.nist.gov/800-63-3/sp800-63b.html. However, even with strong passwords implemented within organizations, bad things still happen because humans are humans. A phishing attack against an unsuspecting victim can release strong credentials to attackers in an instant. If multifactor authentication does not serve as an extra layer, that strong password is nothing more than a few more characters for the attackers to type on their keyboard before they compromise your entire company. Companies such as Duo, LastPass, Microsoft, and many others specialize in multifactor authentication. In fact, many organizations have multifactor authentication capabilities that they can implement today for free and may not be aware of it. Before you choose to start changing passwords to strong and complex ones and selecting your multifactor authentication software, conduct an inventory of all authentication methods and platforms within your organization. Many organizations make the mistake of implementing solutions before understanding what they have. In turn, your organization may leave critical business assets unprotected by multifactor authentication or strong/complex passwords. Cloud services are often left forgotten when it comes time to implement such solutions. Your organization should have a dynamic inventory of every different authentication front that your users interact with. Then, create a plan, choose solutions, implement and maintain them.
Systems should be equipped with protective software: The antimalware, antivirus, and endpoint protection industry is filled with products that can significantly increase your organizations' odds in surviving a ransomware or malware attack. However, while most organizations have such software on their systems; it is generally misconfigured or even missing on some systems. Ensure that you understand the capabilities and limitations of your endpoint protection software and hedge your bets accordingly. Ensure that such software is automatically updated and installed on any new systems that reside within your organization. Simply deploying endpoint protection software and not managing it properly can lead to a desperate situation. Ensure that all systems are outfitted, setup appropriate alerting, monitor for suspicious activities and take action accordingly. Your organization should have a centralized dashboard in which one can see each workstation, server, or laptop from a holistic vantage point. Vendor-default antivirus software is not an enterprise solution if not managed or centralized.
Expertise is the most critical aspect of any ransomware preparedness plan or cybersecurity program: If this list appears daunting, keep in mind that there are many items that are not addressed within this list as they are far too technical and in-depth to convey in a short checklist. If your organization does not have personnel that are capable of translating technical information, implementing solutions, and maintaining your security posture; then you are missing the most important element of all. Knowledge in the information security field is rapidly developing and information security professionals are continuously studying emerging threats and novel methods to protect their respective organizations. Many organizations fall victim to the belief that "IT" expertise equals "Security" expertise. While these fields are certainly related, they are not equal. Organizations must begin to recognize that the differences between cybersecurity professionals and IT professionals can be as different as chiropractors versus plastic surgeons. Ensure that your staff is comprised of information security specialists that understand the nature of cyberattacks and have been specifically trained on this subject. Otherwise, you may be placing an unachievable objectives on staff members that are not properly trained in this subject and are merely juggling responsibilities to keep the ship afloat. To combat serious threats such as ransomware, organizations must either retain internal security expertise or procure such professionals outside of the organization.
To recap, there are many ways to protect your organization from ransomware attacks. Some of these methodologies are listed in this guide. However, significant information and insights are not included as each organization is unique and may require a different approach. Ransomware attackers are hitting organizations with coordinated attacks, crippling environments, and releasing stolen data if ransoms are not paid in a timely manner. Your organization should have protective mechanisms implemented, procedures and policies in place, and expertise to command when the time arises. Ransomware is impacting more organizations, year over year exponentially. The time to think about ransomware protection is not when your organization has been compromised, but proactively.
For more information on ransomware protection, please contact CSG-Cyber at
[email protected]
Web: csgcyber.com
Phone: 888-399-0794
Conduct a detailed inventory of your information technology assets: If your organization does not have an accurate inventory of hardware and software, protecting such assets is a challenge that cannot be adequately accomplished. Your hardware inventory should include hardware issued to staff members, laptops, MacBooks, servers, network components, firewalls, proxies, and more. The software inventory should include any software that is used within your organization and what the legitimate business purpose is for the software being leveraged. If there is no legitimate business requirement that has been pre-approved, you should have the software immediately removed. A software and hardware inventory that lists all of the critical business assets that are approved by your organization for use is essential in controlling technology sprawl and protecting your environment. The Center for Internet Security (CIS) has a great template to get you started here: https://www.cisecurity.org/white-papers/cis-hardware-and-software-asset-tracking-spreadsheet/
Legitimate software that is required for business purposes should be assessed from a security standpoint: Even software that is on the Gartner Magic Quadrant and is trusted by thousands of businesses can destroy your business. At the end of the day, software vendors are just companies and they make mistakes. SolarWinds, Kaseya, and many other reputable software vendors have been compromised in recent months and this trend will continue. Ensure that legitimate software is monitored for suspicious activity. Less is more and if your organization is not actively using the software in question, remove it. If suspicious activity is detected on legitimate software within your organization, ensure that swift action is taken on the findings. Your organization should have a prepared methodology to remove or shut down specific software if you determine or suspect that it is compromised. If you'd like to see the damage done by compromised legitimate software, look no further than here: https://www.zdnet.com/article/kaseya-ransomware-attack-what-we-know-now/
Update, Patch, Fix, Repeat: If you are skipping patching systems, you are making a mistake that cyber-attackers salivate over. Keeping software, hardware, and firmware up-to-date is imperative to creating a strong security fabric. Those systems that "cannot be patched because they will break" is no longer a valid excuse. This is a typical mistake of organizations in skipping patching on systems for months or even years due to the fear of service outages from system fixes. Security patches are created for a purpose and your organization cannot and should not afford to ignore them. Make system patching a priority for IT teams. If executive support is not present within the security patching space, this is also an area for improvement. Ensure that patches are deployed on a regular basis, following a pre-set cadence to include all systems. This means desktops, laptops, firewalls, switches, routers, web applications, servers, firmware, and underlying third party software on systems. If you are looking for some basic explanations on patching, the Cybersecurity and Infrastructure Security Agency has a good breakdown of just that here: https://us-cert.cisa.gov/ncas/tips/ST04-006
If everyone is an administrator, everybody is a critical threat: Making it easy for users to install software at-will and without delay has been one of the single greatest mistakes that has led organizations to DEFCON 1. ENSURE THAT ADMINISTRATIVE ACCESS AND PRIVILEGES ARE LIMITED TO A SMALL GROUP OF PEOPLE and audit such permissions frequently. Users may need software installed quickly, so this is something to map accordingly. Extended wait times to install software while users wait for a short-handed IT team can be frustrating, so ensure that there is a process implemented to determine levels of criticality for software requests. Watch out for rouge administrative accounts and local administrative accounts as well. Utilizing products such as Microsoft Local Administrator Password Solution (LAPS) is a great way to significantly limit your exposure. It is free and can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=46899. Following the least privilege model shouldn't stop at installing software on systems. Your organization should be conducting regular assessments on critical data and who maintains access to such systems and data. If you have a large file share, in which any directory is accessible by anyone in your organization, you have a problem that needs to be remediated quickly. Give users access to only what they need to perform their job duties and remove any excessive permissions. Beyond the threat of ransomware, this is just good practice.
Backup and Recovery: If you cannot bring your critical business systems and data back from protected backups, this is a monumental issue. With the plethora of backup and recovery solutions on the market today, there are no excuses as to why organizations are left without recovery solutions when their organization's data has been locked by ransomware. Before you choose a technological solution for your backups, you must perform an assessment of what your organization needs to backup, how often, where, who must manage it, and how fast you have to recover to avoid business disruptions. A fatal mistake that organizations commonly make is spending wildly on data backup solutions without going through a proper planning phase to determine these paramount items. Once you have conducted a thorough assessment and created your backup strategy, choose the solution that fits your needs. Cloud-based, local onsite, tape, and other solutions exist and eagerly await your acquisition of them. Ensure that the backup solution(s) are implemented correctly, cover your critical assets, are regularly tested, and are protected from lateral threats once an attack occurs. You should be able to rest easy at night, trusting that your hardened backup strategy is there as your safety net when all else fails.
By default, your systems and software are built for ease of access, not security: New software and hardware does not equate to secure by default. There is a common misconception that out-of-the-box software and hardware is hardened from a security best practices standpoint. This is simply not true in the majority of cases. Vendors create software and hardware to work for your business and facilitate operations for you. If vendors locked their solutions down, you may not be able to install them so easily. Therefore, it is critical to harden the software and hardware that your organization depends on. In this category, there are many FREE resources that your organization can begin implementing today. The Center for Internet Security (CIS) holds a vast library of such hardening best practices and images that you can implement. They can be found here: https://www.cisecurity.org/cis-hardened-images. There are many other sources that you can leverage to harden your defenses and turn your commercial off-the-shelf products into strong components of your overall security program.
Audit your vendors and suppliers: Many attacks on businesses do not originate from within the organization itself, but rather within a trusted business partner, vendor, or supplier. The security practices of such business counterparts can be either an asset to your security or a liability. Ensure that you are assessing where your vendors and suppliers stand on security regularly. There are many assessments that you can send out today to determine what the levels of risk are within such partners and if you need to place them in a higher or lower risk category. Examples of these include managed service providers, telephony vendors, and outsourced agents. They may have access to your company systems and data, but may not follow any form of security best practices. It is your fiduciary responsibility to determine what level of risk these organizations pose to your business and respond accordingly. Some organizations are shocked to learn about the lack of security practices implemented by trusted vendors and suppliers. Do not leave this area to chance. Assess vendors, suppliers, and business associates regularly, assign risk levels, and determine appropriate action when risks are identified. Another golden rule is to never allow a third party to maintain unmanaged and/or unmonitored access into your environment or data. There are many free templates for vendor risk questionnaires, or many paid platforms that you can utilize in facilitating a vendor risk assessment program from within your organization.
An untrained staff is a critical business risk: OSHA training is mandatory for many organizations, so why shouldn't security training be mandatory as well? For many organizations, such security training is becoming mandatory as per federal, international, state, or industry-specific regulations. However, there is still a large gap in which security training is not required and organizations are missing a keystone of their security program. Training staff should be recurring and interactive. The annual PDF that is sent to all personnel is only scratching the surface. Your organization should seek to either create an internal security awareness training program or seek a vendor that can facilitate this initiative. Knowbe4, Wombat, and MimeCast are solid choices if your organization is looking to spend some $$$. However, we have seen internally-created security awareness training programs that are equally effective at a fraction of the cost. There are even free training options to get your organization started, such as Wizer. That training can be found here: https://www.wizer-training.com/. While there is a free option available, they also have paid options that are in-depth and tailored to your organization.
Strong passwords and multifactor authentication everywhere: Cloud, workstations, laptops, local servers, cloud-based email, smartphones, tablets, online payroll system, corporate banking, invoicing, accounting systems, cloud data backup systems. If you can think of a solution that your business utilizes, it should be secured with multifactor authentication. Having a strong password policy within your organization is critical. However, it is simply not enough. Guidance on strong password policies can be found at the National Institute for Standards and Technology (NIST) here: https://pages.nist.gov/800-63-3/sp800-63b.html. However, even with strong passwords implemented within organizations, bad things still happen because humans are humans. A phishing attack against an unsuspecting victim can release strong credentials to attackers in an instant. If multifactor authentication does not serve as an extra layer, that strong password is nothing more than a few more characters for the attackers to type on their keyboard before they compromise your entire company. Companies such as Duo, LastPass, Microsoft, and many others specialize in multifactor authentication. In fact, many organizations have multifactor authentication capabilities that they can implement today for free and may not be aware of it. Before you choose to start changing passwords to strong and complex ones and selecting your multifactor authentication software, conduct an inventory of all authentication methods and platforms within your organization. Many organizations make the mistake of implementing solutions before understanding what they have. In turn, your organization may leave critical business assets unprotected by multifactor authentication or strong/complex passwords. Cloud services are often left forgotten when it comes time to implement such solutions. Your organization should have a dynamic inventory of every different authentication front that your users interact with. Then, create a plan, choose solutions, implement and maintain them.
Systems should be equipped with protective software: The antimalware, antivirus, and endpoint protection industry is filled with products that can significantly increase your organizations' odds in surviving a ransomware or malware attack. However, while most organizations have such software on their systems; it is generally misconfigured or even missing on some systems. Ensure that you understand the capabilities and limitations of your endpoint protection software and hedge your bets accordingly. Ensure that such software is automatically updated and installed on any new systems that reside within your organization. Simply deploying endpoint protection software and not managing it properly can lead to a desperate situation. Ensure that all systems are outfitted, setup appropriate alerting, monitor for suspicious activities and take action accordingly. Your organization should have a centralized dashboard in which one can see each workstation, server, or laptop from a holistic vantage point. Vendor-default antivirus software is not an enterprise solution if not managed or centralized.
Expertise is the most critical aspect of any ransomware preparedness plan or cybersecurity program: If this list appears daunting, keep in mind that there are many items that are not addressed within this list as they are far too technical and in-depth to convey in a short checklist. If your organization does not have personnel that are capable of translating technical information, implementing solutions, and maintaining your security posture; then you are missing the most important element of all. Knowledge in the information security field is rapidly developing and information security professionals are continuously studying emerging threats and novel methods to protect their respective organizations. Many organizations fall victim to the belief that "IT" expertise equals "Security" expertise. While these fields are certainly related, they are not equal. Organizations must begin to recognize that the differences between cybersecurity professionals and IT professionals can be as different as chiropractors versus plastic surgeons. Ensure that your staff is comprised of information security specialists that understand the nature of cyberattacks and have been specifically trained on this subject. Otherwise, you may be placing an unachievable objectives on staff members that are not properly trained in this subject and are merely juggling responsibilities to keep the ship afloat. To combat serious threats such as ransomware, organizations must either retain internal security expertise or procure such professionals outside of the organization.
To recap, there are many ways to protect your organization from ransomware attacks. Some of these methodologies are listed in this guide. However, significant information and insights are not included as each organization is unique and may require a different approach. Ransomware attackers are hitting organizations with coordinated attacks, crippling environments, and releasing stolen data if ransoms are not paid in a timely manner. Your organization should have protective mechanisms implemented, procedures and policies in place, and expertise to command when the time arises. Ransomware is impacting more organizations, year over year exponentially. The time to think about ransomware protection is not when your organization has been compromised, but proactively.
For more information on ransomware protection, please contact CSG-Cyber at
[email protected]
Web: csgcyber.com
Phone: 888-399-0794
BEST OPEN-SOURCE INCIDENT RESPONSE TOOLS
When it comes to incident response and forensics, there are many paid options for professionals. However, the treasure trove of open-source free platforms is equally extensive. We have put together a list of some of our favorites in the incident response, forensics, and reporting categories. This does not include all of the tools that are available. However, this list should provide everything that one would need for a well-rounded and robust arsenal of tools and programs. Keep in-mind that these programs require expertise and technical knowledge. If you are in the midst of an active security incident or intrusion, contact us here or by emailing us at [email protected].
1. The Hive: Security Incident Response Platform that is designed to facilitate the work of security operations center analysis, SIEM administrators, and incident response analysts. https://thehive-project.org/
2. Autopsy: A slick, GUI-based program for digital forensics. This is one program that every incident responder should have in their arsenal.
3. SANS SIFT: "The SIFT Workstation is a compilation of free and open-source incident response and forensic tools. This Linux distro comes packed with many tools and programs to create an all-in-one environment for incident responders and forensic analysts. https://www.sans.org/tools/sift-workstation/
4. Google Rapid Response: "GRR Rapid Response is an incident response framework focused on remote live forensics.” https://grr-doc.readthedocs.io/en/v3.3.0/what-is-grr.html
5. Volatility: "Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research." If you are looking to assess RAM, look no further than Volatility. https://www.volatilityfoundation.org/releases
6. The Sleuth Kit: This robust collection and compilation of tools will help you with analysis of disk images, recovery of files, and further assist in putting a strong case together. https://www.sleuthkit.org/
7. AlienVault OSSIM: An Open Source Security Information and Event Management (SIEM), provides event collection and an environment for analysis within a GUI. Built by security engineers, for security engineers. https://cybersecurity.att.com/products/ossim
8. SIEM Alternatives: If you are looking for other free SIEM platforms, here are a few of the top projects:
Elastic: https://www.elastic.co/
OSSEC: https://www.ossec.net/
Wazuh: https://wazuh.com/
Apache Metron: https://metron.apache.org/
8. CIMSweep: CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across Windows environments. Using CIMSweep, incident responders can collect large amounts of valuable data from many systems quickly. https://github.com/PowerShellMafia/CimSweep
9. Mozilla MIG: This platform is agent-based and facilitates investigations by collecting data from endpoints. It's fast, easy and effective for threat hunting and data collection with privacy in-mind. https://github.com/mozilla/mig
10. REMnux: If you are looking into reverse-engineering and analyzing malicious software, REMnux provides a nice collection of tools and programs for that purpose. https://remnux.org/
11. Zeek: Zeek is not a firewall or intrusion prevention system. Rather, Zeek sits on a sensor, and quietly observes network traffic. “Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system." https://zeek.org/
12. WireShark: If you don't have WireShark in your toolkit, this is a program that you must become familiar with. Network analysis and threat hunting can be complicated. However, getting down to the root level often requires packet analysis. https://www.wireshark.org/
13. Magnet RAM Capture: Imaging of systems is an essential portion of the cyber-incident response process and evidence handling. This program facilitates that process by capturing the physical memory of devices. https://www.magnetforensics.com/resources/magnet-ram-capture/
14. NetworkMiner: This open-source forensic analysis tool if used primary for Windows, but is also available for Linux, Mac, and other operating systems. This is a great tool for running passive network analysis and packet captures. https://www.netresec.com/?page=NetworkMiner
15. Nmap: One of the major prerequisites of incident response is simply knowing where you are on a network and what that network looks like. There are few better tools out there than Nmap to create a network map for your response activities. https://nmap.org/
16. CrowdStrike: has put together a comprehensive library of open-source tools for many aspects of incident response and forensics. Check out the downloads library here: https://www.crowdstrike.com/resources/community-tools/
17. Kali Linux: Well, this operating system should be familiar to most. However, if not: check out all of this glorious operating systems' capabilities here: https://www.kali.org/
18. CAINE (Computer Aided Investigate Environment): This platform boasts over 80 tools that are geared to forensics and reporting. This is a go-to Linux distro for many. https://www.caine-live.net/
19. Paladin: A comprehensive Linux distro that is built on Ubuntu for forensics. This is another trusted resource for many responders seeking to put together a compelling case. https://sumuri.com/software/paladin/
20. FTK Imager: A perfect toolkit for creating identical copies of data without changing file properties or raw data. https://www.exterro.com/forensic-toolkit
1. The Hive: Security Incident Response Platform that is designed to facilitate the work of security operations center analysis, SIEM administrators, and incident response analysts. https://thehive-project.org/
2. Autopsy: A slick, GUI-based program for digital forensics. This is one program that every incident responder should have in their arsenal.
3. SANS SIFT: "The SIFT Workstation is a compilation of free and open-source incident response and forensic tools. This Linux distro comes packed with many tools and programs to create an all-in-one environment for incident responders and forensic analysts. https://www.sans.org/tools/sift-workstation/
4. Google Rapid Response: "GRR Rapid Response is an incident response framework focused on remote live forensics.” https://grr-doc.readthedocs.io/en/v3.3.0/what-is-grr.html
5. Volatility: "Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research." If you are looking to assess RAM, look no further than Volatility. https://www.volatilityfoundation.org/releases
6. The Sleuth Kit: This robust collection and compilation of tools will help you with analysis of disk images, recovery of files, and further assist in putting a strong case together. https://www.sleuthkit.org/
7. AlienVault OSSIM: An Open Source Security Information and Event Management (SIEM), provides event collection and an environment for analysis within a GUI. Built by security engineers, for security engineers. https://cybersecurity.att.com/products/ossim
8. SIEM Alternatives: If you are looking for other free SIEM platforms, here are a few of the top projects:
Elastic: https://www.elastic.co/
OSSEC: https://www.ossec.net/
Wazuh: https://wazuh.com/
Apache Metron: https://metron.apache.org/
8. CIMSweep: CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across Windows environments. Using CIMSweep, incident responders can collect large amounts of valuable data from many systems quickly. https://github.com/PowerShellMafia/CimSweep
9. Mozilla MIG: This platform is agent-based and facilitates investigations by collecting data from endpoints. It's fast, easy and effective for threat hunting and data collection with privacy in-mind. https://github.com/mozilla/mig
10. REMnux: If you are looking into reverse-engineering and analyzing malicious software, REMnux provides a nice collection of tools and programs for that purpose. https://remnux.org/
11. Zeek: Zeek is not a firewall or intrusion prevention system. Rather, Zeek sits on a sensor, and quietly observes network traffic. “Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system." https://zeek.org/
12. WireShark: If you don't have WireShark in your toolkit, this is a program that you must become familiar with. Network analysis and threat hunting can be complicated. However, getting down to the root level often requires packet analysis. https://www.wireshark.org/
13. Magnet RAM Capture: Imaging of systems is an essential portion of the cyber-incident response process and evidence handling. This program facilitates that process by capturing the physical memory of devices. https://www.magnetforensics.com/resources/magnet-ram-capture/
14. NetworkMiner: This open-source forensic analysis tool if used primary for Windows, but is also available for Linux, Mac, and other operating systems. This is a great tool for running passive network analysis and packet captures. https://www.netresec.com/?page=NetworkMiner
15. Nmap: One of the major prerequisites of incident response is simply knowing where you are on a network and what that network looks like. There are few better tools out there than Nmap to create a network map for your response activities. https://nmap.org/
16. CrowdStrike: has put together a comprehensive library of open-source tools for many aspects of incident response and forensics. Check out the downloads library here: https://www.crowdstrike.com/resources/community-tools/
17. Kali Linux: Well, this operating system should be familiar to most. However, if not: check out all of this glorious operating systems' capabilities here: https://www.kali.org/
18. CAINE (Computer Aided Investigate Environment): This platform boasts over 80 tools that are geared to forensics and reporting. This is a go-to Linux distro for many. https://www.caine-live.net/
19. Paladin: A comprehensive Linux distro that is built on Ubuntu for forensics. This is another trusted resource for many responders seeking to put together a compelling case. https://sumuri.com/software/paladin/
20. FTK Imager: A perfect toolkit for creating identical copies of data without changing file properties or raw data. https://www.exterro.com/forensic-toolkit