WEBVTT 0:00:03.580000 --> 0:00:06.720000 Instant Response Toolkit. 0:00:06.720000 --> 0:00:11.780000 In this video we're going to be exploring the process of developing your 0:00:11.780000 --> 0:00:14.060000 own instant response toolkit. 0:00:14.060000 --> 0:00:20.520000 This is quite an important aspect of the technology component of the preparation 0:00:20.520000 --> 0:00:22.900000 phase of instant response. 0:00:22.900000 --> 0:00:31.560000 And again, if you're getting into instant response as a beginner or if 0:00:31.560000 --> 0:00:35.900000 you have no background in instant response, then this may seem like sort 0:00:35.900000 --> 0:00:38.740000 of a new or foreign concept. 0:00:38.740000 --> 0:00:44.780000 Specifically referring to an instant response toolkit, but it is a very, 0:00:44.780000 --> 0:00:51.660000 very important aspect or component of preparing for instant response or 0:00:51.660000 --> 0:00:55.000000 preparing to respond to incidents, I should say. 0:00:55.000000 --> 0:00:58.300000 So what is an instant response toolkit? 0:00:58.300000 --> 0:01:02.800000 Well, an incidence response toolkit is a curated set of tools and utilities 0:01:02.800000 --> 0:01:08.780000 that incident responders use during security investigations, containment 0:01:08.780000 --> 0:01:12.620000 efforts, as well as post -incident analysis. 0:01:12.620000 --> 0:01:17.020000 So, an IR toolkit will, you know, provides the technical capabilities 0:01:17.020000 --> 0:01:22.800000 that responders need to collect evidence, perform forensics, triage alerts, 0:01:22.800000 --> 0:01:26.300000 and of course act quickly during a cyber incident. 0:01:26.300000 --> 0:01:30.900000 Now, depending on the organization or context, the instant response toolkit 0:01:30.900000 --> 0:01:35.140000 may also be referred to as, so you'll typically see an IR toolkit referred 0:01:35.140000 --> 0:01:40.120000 to as a responder kit, a drop kit, a cyber first responder toolkit, a 0:01:40.120000 --> 0:01:48.960000 digital forensics toolkit, an IR utility pack, an investigation toolkit, 0:01:48.960000 --> 0:01:53.380000 a the bottom line is that, you know, again, depending on the organization 0:01:53.380000 --> 0:01:58.960000 or context, you know, the organizations will have different names for 0:01:58.960000 --> 0:02:04.280000 an IR toolkit and the bottom line is that it's pretty much referring to 0:02:04.280000 --> 0:02:08.640000 the same thing. So despite the different labels or names, the goal remains 0:02:08.640000 --> 0:02:14.180000 the same. Equipping responders with ready -to-use tools for efficient keyword 0:02:14.180000 --> 0:02:19.400000 is consistent and effective instant handling or instant response. 0:02:19.400000 --> 0:02:24.220000 So you may be asking, what are some of the common tools included in an 0:02:24.220000 --> 0:02:29.780000 IR toolkit? Well, instant response toolkits typically include a mix of 0:02:29.780000 --> 0:02:33.600000 forensics, analysis, collection, and triage tools. 0:02:33.600000 --> 0:02:35.860000 And here's a breakdown by category. 0:02:35.860000 --> 0:02:41.300000 Now, as this is going to be dependent on your specific rules and responsibilities. 0:02:41.300000 --> 0:02:46.800000 So, you know, what you'll be doing in relation to instant response. 0:02:46.800000 --> 0:02:51.200000 And so, you know, this is a generalization of the types of tools you'd 0:02:51.200000 --> 0:02:54.760000 find in an IR toolkit broken down by category. 0:02:54.760000 --> 0:02:58.780000 So in the case of evidence collection and imaging, you know, very, very 0:02:58.780000 --> 0:03:03.680000 common to find FTK, image, FTK, image for disk imaging. 0:03:03.680000 --> 0:03:09.420000 You know, an example of memory acquisition tools are magnet ram capture 0:03:09.420000 --> 0:03:13.880000 or bellker software am capture capture, I should say, and then, you know, 0:03:13.880000 --> 0:03:17.220000 very, very common on Linux to have DD, which is, you know, command line 0:03:17.220000 --> 0:03:22.760000 disk imaging. In the case of memory and disk forensics, so sort of moving 0:03:22.760000 --> 0:03:27.840000 from evidence collection and imaging, you know, it goes without saying 0:03:27.840000 --> 0:03:30.480000 that you're going to have volatility or recall. 0:03:30.480000 --> 0:03:31.860000 That's for memory analysis. 0:03:31.860000 --> 0:03:36.080000 And then for file systems forensics, you're going to have autopsy or the 0:03:36.080000 --> 0:03:40.540000 sleuth kit. Those are the typical tools you'll find there. 0:03:40.540000 --> 0:03:46.040000 In the case of log and event analysis, you're going to need a log parser 0:03:46.040000 --> 0:03:51.460000 or, you know, specific to Windows log analysis, an example of the tool 0:03:51.460000 --> 0:03:53.020000 that is log parser. 0:03:53.020000 --> 0:03:57.180000 You also have Sysmon view, which is a great tool for visualization of 0:03:57.180000 --> 0:04:01.760000 Sysmon logs. You're then going to require this is, I've seen, you know, 0:04:01.760000 --> 0:04:07.120000 pretty much across quite a few instant response toolkits within organizations. 0:04:07.120000 --> 0:04:12.040000 They always have packet capture and network analysis tools like wire shock 0:04:12.040000 --> 0:04:16.700000 or TCP down for traffic inspection and capture. 0:04:16.700000 --> 0:04:21.080000 For malware analysis and IOC triage, which is something we explored to 0:04:21.080000 --> 0:04:25.340000 a certain extent in the previous video when we're exploring, you know, 0:04:25.340000 --> 0:04:33.460000 the hive. In this case, you'd find tools like PE to be malware analysis, 0:04:33.460000 --> 0:04:36.720000 you know, static analysis of binaries and executables. 0:04:36.720000 --> 0:04:40.440000 In the case of PE Studio, it's really portable executable. 0:04:40.440000 --> 0:04:45.020000 So Windows specific, you then have virus total uploader, which is, you 0:04:45.020000 --> 0:04:48.980000 know, for file and hash scanning, cyber chef, that's a great tool. 0:04:48.980000 --> 0:04:52.700000 If you're not familiar with it already for decoding and analyzing encoded 0:04:52.700000 --> 0:04:55.200000 or obfuscated data. 0:04:55.200000 --> 0:05:00.900000 And then Yara, which is great for pattern matching and malware detection. 0:05:00.900000 --> 0:05:03.300000 So that's more so the signature side of things. 0:05:03.300000 --> 0:05:07.680000 And then you have artifact collection, specific to Windows, you have Cape, 0:05:07.680000 --> 0:05:12.400000 which is the cruel artifact parser and extractor, which helps you collect 0:05:12.400000 --> 0:05:17.380000 Windows forensic artifacts, and then easy tools by Eric Zimmerman. 0:05:17.380000 --> 0:05:23.320000 So these are examples would be registry explorer, timeline explorer, phenomenally 0:05:23.320000 --> 0:05:28.680000 powerful tools, and then system utilities like PSX or PS skills. 0:05:28.680000 --> 0:05:32.220000 So really, you'd find the whole sis internal suite of tools. 0:05:32.220000 --> 0:05:37.460000 But in this particular case, they're limited to PSX, X and PS kill. 0:05:37.460000 --> 0:05:42.180000 So remote execution and process termination, you then have a collection 0:05:42.180000 --> 0:05:47.020000 of power shell and or bash scripts for automation and triage sort of, 0:05:47.020000 --> 0:05:54.560000 you know, automate this, and then verify file hashes. 0:05:54.560000 --> 0:05:58.380000 And now that brings us to very important point here, which is how do you 0:05:58.380000 --> 0:06:00.800000 build your own incident response toolkit? 0:06:00.800000 --> 0:06:06.860000 Because, you know, the previous list or list of categories and tools within 0:06:06.860000 --> 0:06:09.400000 each category is quite generalized. 0:06:09.400000 --> 0:06:15.160000 And you know, they sort of account for various aspects of instant response. 0:06:15.160000 --> 0:06:19.980000 And the first step, as I mentioned, when we become this video is to define 0:06:19.980000 --> 0:06:21.760000 your own use case. 0:06:21.760000 --> 0:06:26.560000 So are you building your kit for a Windows environment or Windows specific 0:06:26.560000 --> 0:06:31.300000 instant response or Linux specific instant response or for the cloud? 0:06:31.300000 --> 0:06:33.080000 Very, very important, right? 0:06:33.080000 --> 0:06:36.040000 The next question is, will this toolkit be used in the field? 0:06:36.040000 --> 0:06:41.140000 So think USB or live boot or on dedicated IR workstations? 0:06:41.140000 --> 0:06:41.900000 Very, very important. 0:06:41.900000 --> 0:06:47.360000 So if you have, if there's the requirement or the need to have them again 0:06:47.360000 --> 0:06:52.320000 be portable, then you need to have USBs ready with these tools. 0:06:52.320000 --> 0:06:55.740000 You then need to identify the core capabilities you need. 0:06:55.740000 --> 0:07:00.060000 So are you doing evidence collection, memory analysis, log review, questions 0:07:00.060000 --> 0:07:02.380000 like that, very, very important. 0:07:02.380000 --> 0:07:07.680000 So based on that, you include the tools that are lined with your instant 0:07:07.680000 --> 0:07:11.160000 response procedures and playbooks. 0:07:11.160000 --> 0:07:14.180000 Very, you know, you select and test tools. 0:07:14.180000 --> 0:07:16.980000 This is something that a lot of people skip, especially when you're getting 0:07:16.980000 --> 0:07:21.920000 started. You know, it's not just about selecting tools, you need to actually 0:07:21.920000 --> 0:07:25.400000 test them and sort of integrate them into your workflow, understand how 0:07:25.400000 --> 0:07:28.360000 they work, become efficient in using them, etc. 0:07:28.360000 --> 0:07:32.500000 But the bottom line is you choose reliable, well supported tools, preferably, 0:07:32.500000 --> 0:07:36.240000 you know, open source or vendor approved, I should say vendor supported 0:07:36.240000 --> 0:07:41.180000 tools. You then test everything in a sandbox environment before relying 0:07:41.180000 --> 0:07:42.000000 on it in production. 0:07:42.000000 --> 0:07:44.860000 The bottom line is you don't want to be in a position when you're responding 0:07:44.860000 --> 0:07:50.420000 to an instant, whether you perform analysis, so on and so forth. 0:07:50.420000 --> 0:07:54.200000 And this is the first time that you're using a particular tool or you're 0:07:54.200000 --> 0:07:56.520000 unsure about certain aspects of the tool. 0:07:56.520000 --> 0:07:59.440000 So be become comfortable with the tool. 0:07:59.440000 --> 0:08:02.960000 You actually tested out and see that it does what you wanted to do or 0:08:02.960000 --> 0:08:08.560000 what you expected to do when you're documenting the usage instructions 0:08:08.560000 --> 0:08:13.420000 or create a quick reference guide or knowledge base on the Hive. 0:08:13.420000 --> 0:08:15.560000 That's what it's there for. 0:08:15.560000 --> 0:08:17.820000 But that's very, very important. 0:08:17.820000 --> 0:08:20.820000 You then move on to packaging and organizing the toolkit. 0:08:20.820000 --> 0:08:23.900000 Again, something that a lot of people overlook. 0:08:23.900000 --> 0:08:30.580000 This is typically the structured folder system that I have, you know, 0:08:30.580000 --> 0:08:37.100000 both in terms of naming but also structure. 0:08:37.100000 --> 0:08:41.480000 So directories are sorted based on, again, what the tools do or what they're 0:08:41.480000 --> 0:08:42.320000 going to be used for. 0:08:42.320000 --> 0:08:46.480000 So I have one for collection for nzix malware analysis. 0:08:46.480000 --> 0:08:50.500000 I have one for scripts logs, documentation, etc. 0:08:50.500000 --> 0:08:54.900000 But some key considerations I would like to make here are A, you know, 0:08:54.900000 --> 0:08:58.580000 you could, you should consider building a portable version on a USB drive 0:08:58.580000 --> 0:09:00.140000 with right blockers. 0:09:00.140000 --> 0:09:04.940000 B, you should set up a virtual machine image preloaded with all your tools. 0:09:04.940000 --> 0:09:09.960000 So think of, you know, various things like commando VM or FLAV, VM on 0:09:09.960000 --> 0:09:16.200000 Windows, or just, you know, create your own VM, you know, an example on 0:09:16.200000 --> 0:09:18.940000 Linux would be the Cacou sandbox. 0:09:18.940000 --> 0:09:23.160000 In addition to that, I'd also recommend that you build a cloud hosted 0:09:23.160000 --> 0:09:26.400000 toolkit if you're responding to cloud native incidents. 0:09:26.400000 --> 0:09:30.280000 And generally speaking, have, you know, your kids stored in multiple locations 0:09:30.280000 --> 0:09:34.160000 and have your analysis tools or VMs ready to go. 0:09:34.160000 --> 0:09:36.800000 Make sure you have snapshots of your VMs. 0:09:36.800000 --> 0:09:43.980000 Again, that, you know, are dedicated or would take you back to a clean 0:09:43.980000 --> 0:09:47.740000 state so that you have an investigation VM for each incident. 0:09:47.740000 --> 0:09:48.860000 I always like doing that. 0:09:48.860000 --> 0:09:52.480000 It may seem a little bit cumbersome, but that's always important. 0:09:52.480000 --> 0:09:54.980000 And then finally, maintain and update. 0:09:54.980000 --> 0:09:56.700000 So keep the tools up to date. 0:09:56.700000 --> 0:10:00.700000 This is something that I've seen too many times for me to recount here. 0:10:00.700000 --> 0:10:03.880000 They're running older versions of tools, not that there's anything wrong 0:10:03.880000 --> 0:10:07.460000 with an older version of a tool, especially the excuse for not updating 0:10:07.460000 --> 0:10:11.100000 to a new version is that the new version is unstable. 0:10:11.100000 --> 0:10:12.120000 I understand that. 0:10:12.120000 --> 0:10:15.260000 But generally speaking, you want to ensure that your tools are kept up 0:10:15.260000 --> 0:10:18.880000 to date and you test them and you see whether, you know, there's any issues 0:10:18.880000 --> 0:10:22.320000 with a new version, stuff like this, if they are, then you can maintain 0:10:22.320000 --> 0:10:23.340000 the current version. 0:10:23.340000 --> 0:10:25.580000 But you need to do this proactively. 0:10:25.580000 --> 0:10:29.960000 So you regularly review your toolkit based on new attack trends, lessons 0:10:29.960000 --> 0:10:34.080000 learned from past incidents, and of course, team feedback. 0:10:34.080000 --> 0:10:38.180000 All right. So with that being said, that's going to be it for this video. 0:10:38.180000 --> 0:10:40.700000 And I will be seeing you in the next video.