Open-source incident response tools are easily customizable and you will be in full control of what is going on in the software, maintenance- and security-wise. We have found 10 open-source incident response tools that you can use.
1. Cynet 360 Cynet 360
is considered to be one of the best free open-source tools out there. Its advantages are full integration with the system for the best monitoring, user behavior and network traffic analysis, and vast tools for response automation (playbooks, automated investigations, and remediation, etc.). Cynet 360 also offers vertical-specific solutions for healthcare, manufacturing, energy, and law.
2. CimSweep CimSweep
uses CIM cmdlets in PowerShell to allow companies to manage their incident response remotely across all Windows versions. With this tool, you can access registry keys, values, value types, and valuable content with optional recursion, directory, and file listing with optional recursion, event log entries, and processes that are essential for investigation and response. You can also scan for known bad artifacts and sweep for numerous forensic artifacts if you are adventurous enough.
3. GRR Rapid Response This tool
is also used by forensics to run an investigation remotely. However, your IT team can benefit from it as well: you can analyze the memory, search for files and registries, and monitor client devices. It is also a cross-platform solution which means that you can access it not only on Windows but on Linux and OS X as well. The tool offers automation opportunities for future or recurring tasks and is great for large enterprises.
4. TheHive Project
The strong side of TheHive Project
is its collaboration features. Numerous SOCs and CERTs can work together on one case, assign tasks, preview alerts together, and access the information that is updated in real-time. Investigators can analyze their performance, gather evidence in one place, etc. In the end, you get everyone to monitor everything that happens on your business platform and streamline the response to the incident without wasting time trying to organize the team.
5. AlienVault OSSIM OSSIM
is an open-source tool by AlienVault that has its limits compared to paid solutions but still offers great solutions for incident response. With this tool, you will be able to integrate with the system, gather information from all the security tools, assess existing threats, detect intrusion, and monitor behavior. Moreover, you will also have access to SIEM event correlation functionality. The system is always going through some improvements so we are waiting for more exciting features in the future!
6. Osquery Osquery
is one of the best solutions for Linux, OS X, clouds but it also works on Windows. It is used for endpoint visibility, alerts, reporting, and investigations. You can either schedule the collection of information (network, memory, service, process activity, and configurations) or create a query with SQL to fetch data as soon as you need it. The other great benefit of the tool is that you need to write a query only once and it will run across the whole system.
7. MIG: Mozilla InvestiGator
, you will be able to investigate your endpoint remotely, many systems in parallel. You can analyze files, memory, and network and search for indicators of a compromised system, for example, specific log entries, backdoor files, IP addresses, or signatures in processes memories. This tool is especially popular for its fast response where you can analyze the whole network in mere seconds because processes run in parallel.
8. The SIFT Workstation
The SIFT Workstation
is a framework that allows analysts to investigate file systems (NTFS, iso9660, swap, memory, fat12, ext3, etc.), registry, memory images (raw, aff, afd, ewf, etc.), and network evidence. The tool also offers robust incident response tools like Rapid Scripting and Analysis, Threat Intelligence and Indicator of Compromise Support, Threat Hunting, and Malware Analysis Capabilities. Security experts can integrate numerous other tools with The SIFT Workstation as well.
9. Wazuh Wazuh
is an open-source free security platform that offers rich functionality: security analysis, threat and vulnerability detection, cloud security, log data analysis, etc. Its incident response system allows organizations to respond to real-time threats (blocking access), identify indicators of the breach, and find more complex, more subtle attacks.
The major reason why Cyphon
was created is alert fatigue. Big incidents go unnoticed because there are thousands of security alerts and it is impossible to open them all. Cyphon aggregates the alerts from the mailbox, logs, and social media to later prioritize them and send customizable alerts that are worth attention.