INCIDENT RESPONSE

IR STEPS & LINKS

PREPARATION

IR Plans
- NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
- Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
- The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
- Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/
Asset Management
- Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html
- Open-AudIT, https://www.open-audit.org/
- PDQ Inventory, https://www.pdq.com
- Spiceworks https://www.spiceworks.com/free-asset-management-software/
- SysAid, https://www.capterra.com/p/107225/SysAid/
Out Of Bounds Communications
- Secure Email
  - CounterMail, https://countermail.com/
  - Hushmail, https://www.hushmail.com/
  - ProtonMail, https://protonmail.com/
  - Mailfence, https://mailfence.com/
- Teleconferencing
  - Google Hangouts, https://hangouts.google.com/
  - Zoom, https://zoom.us
  - Uber Conference, https://www.uberconference.com/
- Texting
  - WhatsApp
  - Line
  - Signal
  - Viber
- Ticketing
  - The Hive Project ,https://thehive-project.org/
  - Snipe-IT, https://snipeitapp.com/
  - Spiceworks, https://www.spiceworks.com/free-asset-management-software/
- Use Cases
  - 2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/
  - Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf
  - Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/
  - Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/
- Testing
  - Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
  - Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
- Training
  - National CyberSecurity Awareness Month (NSCAM)
    - Stay Safe Online, https://staysafeonline.org/ncsam/
    - DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources
  - Cybrary, https://www.cybrary.it/
  - ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn
  - SANS Cyber Aces, https://www.cyberaces.org/
  - TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/
  - Open Security Training, http://opensecuritytraining.info/Training.html
  - Open Cyber Challenge Platform, https://opencyberchallenge.net/
- Checklists
  - Incident Response Jumpkit Checklist
  - Critical Log Review Checklist for Security Incidents
- Cheat Sheets
  - DDOS incident cheat sheet
  - Security-incident-questionnaire-cheat-sheet
  - Security-incident-survey-cheat-sheet
- Forms
  - Incident Response Reporting Form
  - IR Chain of Evidence

IDENTIFICATION

Threat Intelligence
- Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence
- Cisco Talos, https://www.talosintelligence.com/
- HoneyDB, https://riskdiscovery.com/honeydb/
- Malware Domains, http://www.malwaredomains.com/
- Talos Aspis, https://www.talosintelligence.com/aspis/
- io, https://threatfeeds.io
Honeypots
- GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots
- Honeyd, http://www.honeyd.org/
- Valhala https://sourceforge.net/projects/valhalahoneypot/
- HoneyTrap https://github.com/honeytrap/honeytrap
SEIM
- Open Source SIEM, https://www.alienvault.com/products/ossim
- OSSSEC, https://ossec.github.io/
- Securicata, https://suricata-ids.org/
- Security Onion, https://securityonion.net/
- SNORT, https://www.snort.org/
- Notebooks
- Post-It Easel Pads, (~$30)
- Rocketbook Everlast Reusable Smart Notebook, (~$30)
Network Monitoring
- Cacti, https://www.cacti.net/index.php
- Icinga 2, https://icinga.com/products/icinga-2/
- Nagios Core, https://www.nagios.org/projects/nagios-core/
- Prometheus, https://prometheus.io/
Logs
- Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/
- Flutentd, https://www.fluentd.org/
- Greylog, https://github.com/Graylog2/graylog2-server
- LOGalyze, http://www.logalyze.com/
- Logstash, https://www.elastic.co/products/logstash
- LogWatch, https://logpacker.com/
- Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server
NTP
- Google Public NTP, https://developers.google.com/time/
- NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi
- NTP Pool Project, https://www.pool.ntp.org/zone/us
- Time Tools, https://timetoolsltd.com/information/public-ntp-server/
- US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/
Vulnerability Scanner
- Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload
- Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/
- OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/
- OWASP ZAP, https://www.owasp.org/index.php/OWASP Zed Attack Proxy Project
Forensics
- CentralOps, https://centralops.net/co/
- Google, https://google.com
- HPING, hping.org/
- Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php
- MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx
- Masscan, https://github.com/robertdavidgraham/masscan
- Nmap, https://nmap.org/
- Open Source Intelligence (OSINT) Framework; https://osintframework.com/
- SHODAN, https://www.shodan.io/
- VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ
- Wireshark, https://www.wireshark.org/

CONTAINMENT

Playbooks
- How to build an incident response playbook, Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/
- The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN
- Incident Response Consortium, https://www.incidentresponse.com/playbooks/
- MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr 14-3929-cyber-exercise-playbook.pdf
CLI
- ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68
- Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/
VM
- Virtual Box, https://www.virtualbox.org/
- VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm
Forensics
- any.run, https://app.any.run/
- CAINE http://www.caine-live.net/
- Cuckoo Sandbox, https://cuckoosandbox.org/
- Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
- FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1
- Ghidra, https://www.nsa.gov/resources/everyone/ghidra/
- Hybrid Analysis, https://www.hybrid-analysis.com/
- Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html
- Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/
- REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE
- SANS SIFT https://digital-forensics.sans.org/community/downloads/
- The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/
- Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/
Evidence Handling
- Working Group on Digital Evidence, https://swgde.org/
Patch Management
- ConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/
- PDQ Deploy ($), https://www.pdq.com
- DNS Sinkholes
- Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes

ERADICATION

Bootable ISOs (USB or DVD)
- BItDefender, http://download.bitdefender.com/rescue cd/latest/
- GMER, http://www.gmer.net/
- Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install
- Trend Micro RescueDisk, https://www.trendmicro.com/en us/forHome/products/free-tools/rescue-disk.html
Anti-Virus
- Armadito Antivirus, https://armadito.com/
- Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html
- Barkly (AlertLogic [$$]), https://www.alertlogic.com/
- Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html
- ClamAV, http://www.clamwin.com/
- ClamWIn, http://www.clamwin.com/
- Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download
- Open Antivirus Project, http://www.openantivirus.org/index.php

RECOVERY

Business Impact Analysis
- https://www.ready.gov/business-impact-analysis
Disaster Recovery Plan
- https://www.ready.gov/business/implementation/IT
- https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/
- https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx
- https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white paper c11-453495.pdf
Business Continuity Plan
- https://www.ready.gov/business/implementation/continuity
- https://mema.maryland.gov/Documents/FEMA Small Business Continuity Plan Template.docx
- https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx
Data Backup & Recovery
- Acronis (BMR ($$)), https://www.acronis.com
- BorgBackup, https://www.borgbackup.org/
- UrBackup, https://www.urbackup.org/
- Unitrends ($$$), https://www.unitrends.com/
- Veeam, https://www.veeam.com/

LESSONS LEARNED

6 Phases In The Incident Response Plan, David Ellis.
https://www.securitymetrics.com/blog/6-phases-incident-response-plan
CornerThought ($?), https://www.lessonslearnedsolutions.com/
LessonFlow ($?), https://www.lessonslearnedsolutions.com/

BOOKS

Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756
Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896
The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361
The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009
The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509

Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN: 978-1597499965
Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405
Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691
Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944
Security Operations Center – SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011
The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099

CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/

INCIDENT RESPONSE

IR STEPS & LINKS

PREPARATION

IDENTIFICATION

CONTAINMENT

ERADICATION

RECOVERY

LESSONS LEARNED

BOOKS

Downloads

let's build

a purposeful

relationship

together

learn more about us

contact us

contact us