CSIRT Tools - fedvte.usalearning.gov

CSIRT Tools

Table of Contents

Notices ............................................................................................................................................ 2

CSIRT Tools ...................................................................................................................................... 2

CSIRT Tools ...................................................................................................................................... 3

Caveat ............................................................................................................................................. 4

Necessary Tools .............................................................................................................................. 5

Data and Tools ................................................................................................................................ 8

Other CSIRT Tools ........................................................................................................................... 9

Custom Documents ....................................................................................................................... 10

Key Points ...................................................................................................................................... 12

Page 1 of 12

Notices

41Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

CSIRT Tools



CSIRT Tools

**033 This next section talks about

some of the software tools that are

specifically used in a CSIRT.

Page 2 of 12

CSIRT Tools



CSIRT Tools

Not many tools exist specifically for incident handling work.

• Many CSIRTs adapt tools used by system and network administrators in their work.

• Other tools often have to be built by CSIRTs or customized for their environment.

As a manager, you must work with your team to identify and acquire the tools needed for

your staff to perform their tasks.

**034 There was a time when there

weren't that many tools available for

a CSIRT to do their tasks. Now there

are more tools than there used to be;

however, it's still important to adapt

them from the environment that they

were originally developed in for use

within CSIRTs. It may be the case

then that you need to have software

developers on your CSIRT staff who

can make tools that your CSIRT

requires to do their job effectively.

That's a business decision. Can you

afford to have a full-time or even a

part-time staff of developers who

craft tools, who work with CSIRT

staff to understand what those tools

do and need to do? Or do you simply

look around to buy them, maybe

from third-parties, maybe from

contractors, when you need them?

Nonetheless you're going to need

tools that are going to be very helpful

for the CSIRT staff to track incidents,

Page 3 of 12

to keep track of all of the

information. We'll talk more about

that shortly.

Caveat



Caveat

We encourage each organization to thoroughly evaluate new tools and techniques before

installing or using them.

• When installing and using any security tool, read and follow all available directions.

• Ensure that the tool conforms to your organization’s policies and procedures.

• Keep sensitive files (such as MD5 checksums) and log files off-line or on read-only

media.

**035 We also strongly recommend

that for any of the tools you

understand what they do and what

they don't do. Make sure that you

have thoroughly investigated them,

that they do all the things you need

to do, that you have tested them in

some type of a sandbox to see if they

may be transmitting information

that's not documented and

unexpected, and that it conforms to

your policies and procedures. You

may need to have people who are

somewhat specialists in tool testing,

treating tools perhaps as a piece of

malware and investigating it the

same way you'd investigate malware,

to see if it does what you need to do.

Page 4 of 12

Finally, once you verified that you

have a tool that does what you need

it to do, consider putting yourself in

the position of having to reinstall

your systems using the media that

you've got to build the tools. Can

you find that media? Can you install

that? Can you configure that? Can

you bring it up to date with respect

to how you've been using it? You

need to take all these things into

consideration.

Necessary Tools



Necessary Tools

Depending on your team’s mission and provided services, you may need tools for

• storing, analyzing, and tracking CSIRT data

• monitoring CSIRT systems and networks

• monitoring your constituency systems and networks

• file integrity checking and verification

• encryption/decryption

• secure communications

• analyzing logs, files, and artifacts

• correlating, trending, and visualizing data and incidents

• identifying addresses and contacts

• capturing and storing forensic evidence

• internal and external communications and information dissemination

• general computer network defense tools

• lab, simulations, and virtual systems

**036 Here are a collection of tools

at the top level describing the kinds

of things that a CSIRT does and the

tools you need to support that. You

need tools for storing, analyzing and

tracking CSIRT data, because you

need to generate reports for your

constituency, for funding reasons, for

a variety of reasons, and one of the

things that's really important about

the data that you track is to

Page 5 of 12

regularize it. For example, by

indicating that you have a

vulnerability in a Windows tools,

maybe you need to be more specific.

Is it Windows 10? Is it Windows 8.1?

Is it Windows XP? So you need to be

able to conform tools to the kinds of

information you want to capture.

Monitoring the CSIRT systems and

networks. There's lots of open

source tools, there's lots of purchase

tools that you can get to do this.

Monitoring your constituency systems

and networks if you happen to be

needing to do that, if that's one of

your services. Final integrity

checking and verification-- PGP,

checksums, MD5, SHA-256. These

tools are virtually ubiquitous and

typically free.

Encryption and decryption, PGP or

maybe certificate-based. Secure

communications. There's lots of VPN

software, including VPNs from

handhelds and tablets as well as

laptops. Analyzing log files and

artifacts. There are lots of tools to

do this, but this may be a time when

if your CSIRT staff has the ability to

craft scripts, they're able to actually

write programs that do this analysis

for you. We strongly recommend

that if your staff is going to learn

programming skills to do this kind of

activity, we strongly recommend that

you look at a program language like

Python as the way to do that.

Trending, correlating and visualizing

data in incidents. This is very helpful

for doing presentations, for doing

Page 6 of 12

brochures for customers, to be able

to talk about information as it's

changed over time. Identifying

addresses and contacts for your

constituency. Capturing and storing

forensic evidence. There are many,

many free tools for doing this and

many free platforms and tools for

analyzing that evidence.

Internal and external communications

and information dissemination.

Wikis-- there's software for doing

wikis, web servers, online

discussions, group chats, what have

you.

Normal computer defense tools.

Again, lots of these are public domain

and for purchase as well. And then

finally, lab simulations and virtual

systems. There's lots of tools for

running virtual machines. In some

cases, you may be dealing with

artifacts-- for example, malware--

that's virtual-machine-aware that

simply doesn't run under a virtual

machine, in which case you need to

run those pieces of malware on

regular hardware machines. For

doing simulations, like if you want to

simulate the internet or you want to

simulate a web server or something

else on a network in a lab, there's

lots of tools for doing that.

So these are general categories of

tools you need to support your

Page 7 of 12

Data and Tools



Data and Tools

Although the types of data needed will vary to some degree, the following are typical data

and tools to use. See “Smart Collection and Storage Method for Network Traffic Data”

(CMU/SEI-2014-TR-011) for strategies about managing monitoring data.

Data type Tool(s) typically used

Flow or session (metadata) Usually dedicated analysis tools

Logs, IDS/IPS alerts, augmented metadata, other alerts. Can include• host-based IPS/AV logs• passive DNS data (pDNS)• proxy logs (web, email)• asset and fingerprinting data• and more

SIEM or other dedicated analyst console

Full packet capture (FPCAP) Wireshark, Network Miner, tcpdump, others – very important to integrate with other tools to provide easy access and indexing

Reporting from non-technical sources• users – phone, email, other• external sources – phone, email

These types of events are usually recorded in shift logs and/orticketing systems where appropriate.

**037 So when you're thinking

about a data analysis person, the

person in your CSIRT who's analyzing

data, they need to have tools that

deal with these kinds of things. For

example, flow or session data of a

network. There's lots of tools that

are able to do this. One of them is

SILK from CERT. That's a public

domain tool. Then you need with

logs, IDS alerts, other types of alerts,

metadata. These could include all of

these sorts of things. So you need to

think of some kind of console for

your analysts that are able to deal

with these kinds of things.

Full packet capture-- there's many

tools, Wireshark being one of the

most preeminent ones, for dealing

with those, for summarizing, for

viewing packet data. Very important

tool. Lots of books, well documented,

runs on all the systems, whatever.

Page 8 of 12

And then getting reports from

nontechnical sources, these tools can

be very helpful. Finally, there's a

CMU SEI technical report from 2014,

Technical Report 011, that can give

you some information about

managing and strategies for

managing and monitoring data.

Other CSIRT Tools



Other CSIRT Tools

Access to other CSIRT resources that can help facilitate CSIRT work include

• security mailing lists

- US-CERT mailing lists

- bugtraq

- vendor mailing lists

• incident and vulnerability databases and taxonomies

- CERT/CC Knowledgebase

- CVE – Common Vulnerabilities and Exposures

- CVSS – Common Vulnerability Scoring System

**038 Other resources that the

CSIRT needs to have access to to do

their jobs are mailing lists where you

can find information about security.

US-CERT is one mailing list sponsored

by DHS and the U.S. government.

BUGtrack is another list where lots of

bugs are posted so that people can

track them. And then vendor mailing

lists for the vendors of software and

systems not only in the CSIRT but

also in your constituencies. From an

incident vulnerability database and

taxonomy perspective, here are some

that can be very helpful: the

Page 9 of 12

CERT/CC Knowledge Base that talks

about vulnerability, and then the

CVE, the Common Vulnerability and

Exposures database, and CVSS, the

Common Vulnerability Scoring

System. If you are doing

vulnerability work and vulnerability

handling, these are very important

resources to use when doing that

job.

Custom Documents



Custom Documents

Standardized replies and “technical tips” save time in answering frequently asked

questions.

• reusable text from email messages

• interactive reporting forms

• pointers to resources available on your website

- “how-to” documents

- in-house tutorials or training

- frequently asked questions (FAQs)

- current activity or “what’s new”

- custom or personalized web pages

- advisories or alerts

- incident or vulnerability notes

- other information

**039 We also recommend that

from a publishing point of view you

create custom documents that people

can use to provide information to the

constituency or around the staff.

Standardized replies and technical

tips can really save a lot of time in

providing information. You can get

reusable text for email messages.

Once you decide on something that is

grammatically correct, that is

succinct, that is accurate, you can

put that in a database or other

Page 10 of 12

repository and people can reuse that

to answer questions asked by

different people.

You can have interactive reporting

forms to make it easier for people to

report incidents. Finally, you can also

provide all of these on your web

server, how-to documents, how to do

something, in-house tutorials or

training, how to encrypt an email

message with PGP under this type of

mailing system, for example.

Frequently Asked Questions so that

people can research those, and make

sure that your Frequently Asked

Questions are searchable so that

people can find what they need to

find. Current Activity or What's New

kinds of information. Customized or

personalized web pages for your

various constituency can make a

constituent important to your

organization because it's

personalized.

Advisories and alerts are typically

something that you're going to send

to your constituency to encourage

them to take some action very

quickly. Incident and vulnerability

notes. These may be notes that are

inside your CSIRT where you're

keeping track of information so that

people can share it on your staff.

And then other information that

people can find. Again, all these

need to be indexed in some fashion

so you can find all the documents

that are relevant to a topic at hand

as quickly as you can.

Page 11 of 12

Key Points



Key Points

CSIRTs must be a model for how IT assets should be protected.

Systems and networks must be securely configured and maintained.

Each CSIRT will require its own set of tools for incident work.

Online data must be stored in secure locations and transmitted over secure links.

**040 So here are the key points in

this module. The CSIRT must be a

model for how IT assets should be

protected. Do it and show it off,

show other people how to do it,

especially your constituency, so that

they can see one way that managing

an IT system can be done securely.

Networks and systems must be

securely configured and maintained

every day, 24/7. Each CSIRT needs

its own set of tools. Typically you're

going to have to adapt tools that may

have been written for some other

purpose for use within your CSIRT.

This is a common practice. Don't

hesitate to do it. And any data must

be stored securely and transmitted

over secure links, which means

encryption, which means hidden from

prying eyes, no matter where that

data resides.

Page 12 of 12