What is in your CSIRT First Responder’s Jump Kit?

February 24, 2015

Like other services, effective Computer Security Incident Response Teams (CSIRTs) are tiered. The First Responder on a CSIRT is much like the EMT who assess the situation and either deals with it themselves or brings the case to more specialized teams. In this blog post, we cover the role of the First Responder on a CSIRT, why it is needed, why it is tough, and what tools they need for their job.

CSIRT Tiers

Your CSIRT is responsible for evaluating a network or host to determine if it has been compromised and, if so, deciding on how to react to minimize damage and determine the root causes. To do this, CSIRTs need to be able to manually or automatically review each reported incident and alert to determine if it is a real issue or a false positive. We’ve all heard the stories of companies that had an alert of a real attack right in front of them, but they didn’t look into it.

This means that a CSIRT as a whole needs breadth to review the increasing number of alerts and depth to dive into the confirmed and high-value incidents to determine scope and causes. This is why effective incident response teams organize themselves into tiers.

The First Responder is responsible for the initial response to each alert and their primary job is to answer the question of whether a given host is compromised or not. Even better if they can link the incident to a known campaign against the organization and identify other hosts in the enterprise that should be investigated.

Once the compromise has been verified, a variety of specialized members can be assigned to the response, such as:

  • Digital Forensics
  • Malware Analyst
  • Threat Intelligence
  • Security Engineers

This tiered approach allows you to save your most experienced responders for the high-value investigations and maintain the scalability necessary to address the numerous alarms that need to be reviewed.

The First Responder’s Process

To confirm a compromise, the CSIRT first responder needs to collect data from the end point. He or she may have physical access to the end point or it could be across the world. The data to collect includes volatile data from memory and files from the hard drive.

The collected data is then analyzed for signs of a compromise. This requires a combination of signature-based analysis to identify known threats, heuristics to identify things that are similar to previously seen incidents, and instinct to identify the anomalous activity that has not been seen before.

To do this, the responder needs to know:

  • What is normal on the endpoint (to therefore know what is anomalous)
  • Where, in general, could evidence of a compromise be located on the end point
  • What are local and global attack trends to know what additional artifacts to look for
  • Where are the high-value data located in the enterprise

Unfortunately, the places that evidence could be located and the trends are constantly changing because attacker tools, tactics, and procedures (TTPs) are always changing.

The First Responder’s Jump Kit

Because of the scale in which first responders are needed, the pace that they need to maintain, and the fact that they are not malware or digital forensics experts, the first responder’s tools need to be automated and easy to use. Unfortunately, there are few (or perhaps some may say no) tools currently targeted at the first responder.

There are plenty of incident response tools out there, but they largely assume the user is a digital forensics expert. They require the user to know what registry keys to look at, don’t help with malware analysis, and don’t automate any of the standard analysis tasks.

This gap in tools is why we’ve been developing Cyber Triage. Cyber Triage is targeted at the first responder. It automates the collection of data, application of heuristics, and malware analysis to ensure that they quickly and thoroughly respond. Because each host and environment are different, Cyber Triage cannot automatically analyze everything and instead guides the user through steps to answer essential questions.

To help them know what is normal, Cyber Triage maintains a backend database of all collected data so that the responder has situational awareness. They can compare the current state of a system with a previous state or with other hosts in the enterprise. It does all of this with a simple UI and does not require the user to be a forensics expert.