CSIRT Tools - fedvte.usalearning.gov
Transcript of CSIRT Tools - fedvte.usalearning.gov
CSIRT Tools
Table of Contents
Notices ............................................................................................................................................ 2
CSIRT Tools ...................................................................................................................................... 2
CSIRT Tools ...................................................................................................................................... 3
Caveat ............................................................................................................................................. 4
Necessary Tools .............................................................................................................................. 5
Data and Tools ................................................................................................................................ 8
Other CSIRT Tools ........................................................................................................................... 9
Custom Documents ....................................................................................................................... 10
Key Points ...................................................................................................................................... 12
Page 1 of 12
Notices
41Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
CSIRT Tools
33Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
CSIRT Tools
**033 This next section talks about
some of the software tools that are
specifically used in a CSIRT.
Page 2 of 12
CSIRT Tools
34Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
CSIRT Tools
Not many tools exist specifically for incident handling work.
• Many CSIRTs adapt tools used by system and network administrators in their work.
• Other tools often have to be built by CSIRTs or customized for their environment.
As a manager, you must work with your team to identify and acquire the tools needed for
your staff to perform their tasks.
**034 There was a time when there
weren't that many tools available for
a CSIRT to do their tasks. Now there
are more tools than there used to be;
however, it's still important to adapt
them from the environment that they
were originally developed in for use
within CSIRTs. It may be the case
then that you need to have software
developers on your CSIRT staff who
can make tools that your CSIRT
requires to do their job effectively.
That's a business decision. Can you
afford to have a full-time or even a
part-time staff of developers who
craft tools, who work with CSIRT
staff to understand what those tools
do and need to do? Or do you simply
look around to buy them, maybe
from third-parties, maybe from
contractors, when you need them?
Nonetheless you're going to need
tools that are going to be very helpful
for the CSIRT staff to track incidents,
Page 3 of 12
to keep track of all of the
information. We'll talk more about
that shortly.
Caveat
35Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Caveat
We encourage each organization to thoroughly evaluate new tools and techniques before
installing or using them.
• When installing and using any security tool, read and follow all available directions.
• Ensure that the tool conforms to your organization’s policies and procedures.
• Keep sensitive files (such as MD5 checksums) and log files off-line or on read-only
media.
**035 We also strongly recommend
that for any of the tools you
understand what they do and what
they don't do. Make sure that you
have thoroughly investigated them,
that they do all the things you need
to do, that you have tested them in
some type of a sandbox to see if they
may be transmitting information
that's not documented and
unexpected, and that it conforms to
your policies and procedures. You
may need to have people who are
somewhat specialists in tool testing,
treating tools perhaps as a piece of
malware and investigating it the
same way you'd investigate malware,
to see if it does what you need to do.
Page 4 of 12
Finally, once you verified that you
have a tool that does what you need
it to do, consider putting yourself in
the position of having to reinstall
your systems using the media that
you've got to build the tools. Can
you find that media? Can you install
that? Can you configure that? Can
you bring it up to date with respect
to how you've been using it? You
need to take all these things into
consideration.
Necessary Tools
36Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Necessary Tools
Depending on your team’s mission and provided services, you may need tools for
• storing, analyzing, and tracking CSIRT data
• monitoring CSIRT systems and networks
• monitoring your constituency systems and networks
• file integrity checking and verification
• encryption/decryption
• secure communications
• analyzing logs, files, and artifacts
• correlating, trending, and visualizing data and incidents
• identifying addresses and contacts
• capturing and storing forensic evidence
• internal and external communications and information dissemination
• general computer network defense tools
• lab, simulations, and virtual systems
**036 Here are a collection of tools
at the top level describing the kinds
of things that a CSIRT does and the
tools you need to support that. You
need tools for storing, analyzing and
tracking CSIRT data, because you
need to generate reports for your
constituency, for funding reasons, for
a variety of reasons, and one of the
things that's really important about
the data that you track is to
Page 5 of 12
regularize it. For example, by
indicating that you have a
vulnerability in a Windows tools,
maybe you need to be more specific.
Is it Windows 10? Is it Windows 8.1?
Is it Windows XP? So you need to be
able to conform tools to the kinds of
information you want to capture.
Monitoring the CSIRT systems and
networks. There's lots of open
source tools, there's lots of purchase
tools that you can get to do this.
Monitoring your constituency systems
and networks if you happen to be
needing to do that, if that's one of
your services. Final integrity
checking and verification-- PGP,
checksums, MD5, SHA-256. These
tools are virtually ubiquitous and
typically free.
Encryption and decryption, PGP or
maybe certificate-based. Secure
communications. There's lots of VPN
software, including VPNs from
handhelds and tablets as well as
laptops. Analyzing log files and
artifacts. There are lots of tools to
do this, but this may be a time when
if your CSIRT staff has the ability to
craft scripts, they're able to actually
write programs that do this analysis
for you. We strongly recommend
that if your staff is going to learn
programming skills to do this kind of
activity, we strongly recommend that
you look at a program language like
Python as the way to do that.
Trending, correlating and visualizing
data in incidents. This is very helpful
for doing presentations, for doing
Page 6 of 12
brochures for customers, to be able
to talk about information as it's
changed over time. Identifying
addresses and contacts for your
constituency. Capturing and storing
forensic evidence. There are many,
many free tools for doing this and
many free platforms and tools for
analyzing that evidence.
Internal and external communications
and information dissemination.
Wikis-- there's software for doing
wikis, web servers, online
discussions, group chats, what have
you.
Normal computer defense tools.
Again, lots of these are public domain
and for purchase as well. And then
finally, lab simulations and virtual
systems. There's lots of tools for
running virtual machines. In some
cases, you may be dealing with
artifacts-- for example, malware--
that's virtual-machine-aware that
simply doesn't run under a virtual
machine, in which case you need to
run those pieces of malware on
regular hardware machines. For
doing simulations, like if you want to
simulate the internet or you want to
simulate a web server or something
else on a network in a lab, there's
lots of tools for doing that.
So these are general categories of
tools you need to support your
Page 7 of 12
Data and Tools
37Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Data and Tools
Although the types of data needed will vary to some degree, the following are typical data
and tools to use. See “Smart Collection and Storage Method for Network Traffic Data”
(CMU/SEI-2014-TR-011) for strategies about managing monitoring data.
Data type Tool(s) typically used
Flow or session (metadata) Usually dedicated analysis tools
Logs, IDS/IPS alerts, augmented metadata, other alerts. Can include• host-based IPS/AV logs• passive DNS data (pDNS)• proxy logs (web, email)• asset and fingerprinting data• and more
SIEM or other dedicated analyst console
Full packet capture (FPCAP) Wireshark, Network Miner, tcpdump, others – very important to integrate with other tools to provide easy access and indexing
Reporting from non-technical sources• users – phone, email, other• external sources – phone, email
These types of events are usually recorded in shift logs and/orticketing systems where appropriate.
**037 So when you're thinking
about a data analysis person, the
person in your CSIRT who's analyzing
data, they need to have tools that
deal with these kinds of things. For
example, flow or session data of a
network. There's lots of tools that
are able to do this. One of them is
SILK from CERT. That's a public
domain tool. Then you need with
logs, IDS alerts, other types of alerts,
metadata. These could include all of
these sorts of things. So you need to
think of some kind of console for
your analysts that are able to deal
with these kinds of things.
Full packet capture-- there's many
tools, Wireshark being one of the
most preeminent ones, for dealing
with those, for summarizing, for
viewing packet data. Very important
tool. Lots of books, well documented,
runs on all the systems, whatever.
Page 8 of 12
And then getting reports from
nontechnical sources, these tools can
be very helpful. Finally, there's a
CMU SEI technical report from 2014,
Technical Report 011, that can give
you some information about
managing and strategies for
managing and monitoring data.
Other CSIRT Tools
38Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Other CSIRT Tools
Access to other CSIRT resources that can help facilitate CSIRT work include
• security mailing lists
- US-CERT mailing lists
- bugtraq
- vendor mailing lists
• incident and vulnerability databases and taxonomies
- CERT/CC Knowledgebase
- CVE – Common Vulnerabilities and Exposures
- CVSS – Common Vulnerability Scoring System
**038 Other resources that the
CSIRT needs to have access to to do
their jobs are mailing lists where you
can find information about security.
US-CERT is one mailing list sponsored
by DHS and the U.S. government.
BUGtrack is another list where lots of
bugs are posted so that people can
track them. And then vendor mailing
lists for the vendors of software and
systems not only in the CSIRT but
also in your constituencies. From an
incident vulnerability database and
taxonomy perspective, here are some
that can be very helpful: the
Page 9 of 12
CERT/CC Knowledge Base that talks
about vulnerability, and then the
CVE, the Common Vulnerability and
Exposures database, and CVSS, the
Common Vulnerability Scoring
System. If you are doing
vulnerability work and vulnerability
handling, these are very important
resources to use when doing that
job.
Custom Documents
39Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Custom Documents
Standardized replies and “technical tips” save time in answering frequently asked
questions.
• reusable text from email messages
• interactive reporting forms
• pointers to resources available on your website
- “how-to” documents
- in-house tutorials or training
- frequently asked questions (FAQs)
- current activity or “what’s new”
- custom or personalized web pages
- advisories or alerts
- incident or vulnerability notes
- other information
**039 We also recommend that
from a publishing point of view you
create custom documents that people
can use to provide information to the
constituency or around the staff.
Standardized replies and technical
tips can really save a lot of time in
providing information. You can get
reusable text for email messages.
Once you decide on something that is
grammatically correct, that is
succinct, that is accurate, you can
put that in a database or other
Page 10 of 12
repository and people can reuse that
to answer questions asked by
different people.
You can have interactive reporting
forms to make it easier for people to
report incidents. Finally, you can also
provide all of these on your web
server, how-to documents, how to do
something, in-house tutorials or
training, how to encrypt an email
message with PGP under this type of
mailing system, for example.
Frequently Asked Questions so that
people can research those, and make
sure that your Frequently Asked
Questions are searchable so that
people can find what they need to
find. Current Activity or What's New
kinds of information. Customized or
personalized web pages for your
various constituency can make a
constituent important to your
organization because it's
personalized.
Advisories and alerts are typically
something that you're going to send
to your constituency to encourage
them to take some action very
quickly. Incident and vulnerability
notes. These may be notes that are
inside your CSIRT where you're
keeping track of information so that
people can share it on your staff.
And then other information that
people can find. Again, all these
need to be indexed in some fashion
so you can find all the documents
that are relevant to a topic at hand
as quickly as you can.
Page 11 of 12
Key Points
40Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Key Points
CSIRTs must be a model for how IT assets should be protected.
Systems and networks must be securely configured and maintained.
Each CSIRT will require its own set of tools for incident work.
Online data must be stored in secure locations and transmitted over secure links.
**040 So here are the key points in
this module. The CSIRT must be a
model for how IT assets should be
protected. Do it and show it off,
show other people how to do it,
especially your constituency, so that
they can see one way that managing
an IT system can be done securely.
Networks and systems must be
securely configured and maintained
every day, 24/7. Each CSIRT needs
its own set of tools. Typically you're
going to have to adapt tools that may
have been written for some other
purpose for use within your CSIRT.
This is a common practice. Don't
hesitate to do it. And any data must
be stored securely and transmitted
over secure links, which means
encryption, which means hidden from
prying eyes, no matter where that
data resides.
Page 12 of 12