SOC analysts are becoming worn down due to the growing amount of cyber security threats, ongoing alert fatigue, and the industry skill shortage that is leaving SOCs understaffed. Automation of a variety of tasks, both routine and complex, frees up much-needed analyst time and accelerates the whole incident response process. As attackers are becoming faster and stronger, industry leaders understand that incident response automation is a necessity in today’s cyber threat landscape.

The first step in implementing incident response automation in your SOC should not be starting a long procurement process to buy an automation platform from one of the top-tier vendors, but rather using free tools to assess the needs and areas/domains requiring improvement, and then explore the market for more comprehensive solutions. In this blog post, we will present the top 5 open source incident response automation tools, chosen by Cyberbit’s incident response experts, which will allow you to improve your IR process, and assess your incident response automation needs.

An agentless suite of CIM/WMI-based tools that enable analysts to perform incident response and threat hunting remotely, across all versions of Windows. The tools allow analysts to collect forensic data such as registry keys, event log entries, services, processes and more. CimSweep also includes the opportunity for contributors to easily write and add domain-specific functions for the collection of attack-oriented information. Such functions can include sweeping for known malicious files, bad registry keys, suspicious activity indicating attacker persistence behavior, and more.

GRR Rapid Response
Developed by security researchers at Google, GRR is an agent-based cross-platform framework through which a cyber incident response team can perform various data collection tasks such as memory analysis, file and registry search, and client device monitoring. The toolset also includes task automation features, such as automated scheduling for recurring tasks and future task scheduling for clients. Integrated scripting can be done through IPython console access. GRR is highly scalable, and can be deployed widely across large networks.
Due to its robust malware analysis functionality, GRR it was also mentioned in another blog post in this series: 5 Open Source Malware Tools You Should Have in Your Arsenal.

Using teamwork while investigating an incident can greatly improve the quality of incident response. The creators of TheHive have put together an elaborate analysis and SOC orchestration platform that focuses on letting teams work together and collaborate to perform quality, timely investigations. Every investigation corresponds to a case, which can be broken down to one or more tasks. These tasks are claimed or assigned to analysts in the SOC, who can then investigate them simultaneously. TheHive also has a Python API client which allows analysts to create cases and send alerts out of different sources such as email or a SIEM. Additional supplementary tools made by TheHive Project are Cortex, an automation tool for bulk analysis, and Hippocampe, a threat feed aggregator.

Sometimes the most pressing need in cyber incident response is simple and quick endpoint visibility. Osquery is a querying tool that lets SOC analysts get the answers they want about endpoints in their network. Queries return and log forensic data such as; running processes, logged-in users, password changes, USB devices, firewall exceptions, and listening ports. These queries can also be scheduled, giving SOCs the ability to monitor interesting endpoint behaviors.

Mozilla’s MIG is an agent-based investigation platform that allows real-time querying and investigation of endpoints. The operation security platform returns endpoint data in a matter of seconds and can be used for file, network and memory inspection. Vulnerability management can also be done on Linux machines. Privacy is a core value in the orchestration of MIG, so no raw data is returned to the querying end but rather only answers to specific questions.

Taking the Next Steps in Incident Response Automation

So, after reading this blog post, what’s next? First off, browse the websites, assess the solutions and determine which type of incident response automation tools are relevant for your operation to implement. Also, check in with your team and establish which routine tasks can be automated and which investigation techniques need improvement. Before implementing the tools, spend a week or two measuring current activity times, effectiveness and efficiency. Now you are ready to install the tools, measure the results and look for improvement. Based on these results, you will be able to focus your future vendor engagements on the features that suit you best, as well as demonstrate the value that incident response automation platforms have on the IR process, to your executive management.

Watch FREE Webinar: Addressing the Skill Gap in the Modern SOC

Ofir Ashman is a cybersecurity researcher and marketer at Cyberbit.


See a Cyber Range Training Session in Action