Section 3 - Discovery of what's out there for tooling for Incident Response

[u269c]

In order to better determine what is best for the SIRT, we should look at what's hot right now...

Add entries here, in the following format:

## $toolname
_short description_

__item__ | __Description__
--- | ---
_URI_ | http[:]//URL_where_to_find_this
_Price_ | $$$ for initial, and maintenance, estimates are OK
_Why should this be considered?_ | reason1, 2, ...

**Conclusion**: _brief opinion on your part_

[u269c]

Siemplify

A Google solution, with cloud hosting, for a SIEM. This is very much an EDR/XDR solution, with dynamic playbooks and all the monitoring you can think of with a cloud environment as the target.

item	Description
URI	https://www.siemplify.co/
Price	0$ for the Community Edition
Why should this be considered?	Community Edition is free.

Conclusion: I think we should not go for this if we have any alternative that is more focused on coordination of incidents, this is more for a SOC, which is most likely not our SIRT goal.

[u269c]

CERTCC / VINCE

Developed by CERT/CC, this is a platform aimed at information sharing and coordination. It is being used by the CERT/CC folks, and mainly developed by them as well, with a community being built around it.

item	Description
URI	https://github.com/CERTCC/VINCE
Price	0$ for software, we'd need infra for it... DB, hosting, software maintenance...
Why should this be considered?	Focused on coordination, with an eye for adding external parties. Fairly lightweight, and open source software.

Conclusion: I think this is probably our best bet. The caveat here is that we'll need to invest both infrastructure costs, as I would run our own instance, and also expertise to contribute back to the project.

[u269c]

Infra costs: We could probably get Amazon, Microsoft or Google cloud credits here to floor that, given the OSSF ties.

[u269c]

PagerDuty

Incident coordination tool, mostly aimed at SRE/DevOps, with tons of monitoring integrations and oncall management. This is an all-around tool geared towards availability-type incidents, and a mature automation and integration, with years of experience around enterprise/industry audiences.

item	Description
URI	https://www.pagerduty.com/platform/devops/incident-response/
Price	Between 5-41$/user/month, depending on the plan.
Why should this be considered?	Their Security-Ops offering is still rich, and lots of automation exist.

Conclusion: I do not think we should go for PagerDuty. This tool is mostly aimed towards SOC-like, in the security-ops sense, and less around coordinating incidents with multiple parties. We will most likely run into issues with user management (access to incidents from non-members), and the vast amount of integration/monitoring features will not serve us in the least given our scope.

[u269c]

Crowdsec

Free SIEM. This one is community-heavy, with a paid membership for additionnal services attached (like threat intel)...

item	Description
URI	https://github.com/crowdsecurity/crowdsec
Price	0$ for using, but fees start applying for services. and Infra costs..
Why should this be considered?	Very much a SIEM here, with agents... unsure about coordination aspects.

Conclusion: Again, this is more of a SIEM, albeit being free. I do not think it will be adapted to our needs for now.

[TheFoxAtWork]

Redmine

Redmine is a flexible project management web application. Written using the Ruby on Rails framework, it is cross-platform and cross-database.

item	Description
URI	https://www.redmine.org/projects/redmine
Price	0, open source but will need infrastructure to run on, hosting, maintenance, etc.
Why should this be considered?	While not explicitly an incident mgmt tool, I've seen it used to assist in managing incidents and its feature set is flexible.

Conclusion: I think its an option, not as good as the ones from @u269c but if all else fails this and some ingenuity would be a good fit.

[SecurityCRob]

Jira/Confluence

A tracking tool and documentation system that combine like Voltron to provide a hosted vendor solution that is used through out the industry.

item	Description
URI	https://www.atlassian.com/
Price	$$ - commercial tool that is moderately expensive, but could have $0 ongoing maintenance cost to account for
Why should this be considered?	1.) this is one of the defacto tools used throughout the PSIRT community 2.) is is extensible with automation/tooling/plugins 3.) many people are used to the interface if you work with developers 3.) hosted-solution eliminates need for SRE-like roles, but does incur ongoing cost

Conclusion: Depending on how large this effort gets, this is a path we could consider. Atlassian is a premier foundation member and perhaps something could be worked out to use these tools

[SecurityCRob]

Bugzilla

Bugzilla is server software designed to help you manage software development.

item	Description
URI	https://www.bugzilla.org/
Price	$0, open source but will need infrastructure to run on, hosting, maintenance, etc.
Why should this be considered?	1.) Mature software development/workflow management tool 2.) broad community use in traditional OSS-space (simpler to implement for some constituents)

Conclusion: Possibility if we're looking at a tracking system without additional doo-dads and bells-n-whistles

[u269c]

GitHub Issues / Actions

Using GH issues to track intake, coordination and other formats and automations.

item	Description
URI	http://github.com
Price	$ or nothing, might be mostly limited by features here
Why should this be considered?	Already well integrated with most OSS maintainers, issues do have good management features around ACLs, automation and other integrations.

Conclusion: Genuinely, I'd like to try this. We can probably have a dedicated org for this stuff if we want to handle a closed access better... needs discussions with GH experts here.

[u269c]

@ran-dall - Webhooks could be used here to automate A LOT.

[u269c]

• @SecurityCRob to ask the Board/folks at OSSF about this, and potentially getting a dedicated GH org for sensitive coordinations.

[ran-dall]

TheHive Project

A scalable, open source, and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs, and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Item	Description
URI	https://thehive-project.org
Price	0, open source but will need infrastructure to run on, hosting, maintenance, etc., or there's a SaaS option available
Why should this be considered?	vendor agnostic, actively maintained, free (both meanings) & open source, Docker image available, security audience oriented, seems to be widely used, has several interesting integrations

Conclusion: It might be a little too much for our use case(s); however, it does everything you'd want a SIRP Platform to do and does it well. The UI isn't terrible (it's actually fairly good), and some of the automation features might be interesting. So it might be worth looking into.

📝 NOTE: It seems the organization is moving more towards a commercial model/company with TheHive 5. However, they do still seem to offer a TheHive 5 Community Edition that is free and open source.

[ran-dall]

FIR (Fast Incident Response)

FIR (Fast Incident Response) is a cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.

Item	Description
URI	https://github.com/certsocietegenerale/FIR
Price	0, open source but will need infrastructure to run on, hosting, maintenance, etc.
Why should this be considered?	vendor agnostic, free (both meanings) and open source, security audience oriented, can be folded into other systems

Conclusion: Very lightweight and extensible, yet it covers a lot on its own. Now it's not the most modern UI out there, but I think the current UI is functional. It is missing some of the fancier visualization features if that's your thing.

[adriandiglio]

SIFT Workstation - SANS Incident Forensic Toolkit

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite.

item	Description
URI	https://www.sans.org/tools/sift-workstation/
Price	Free
Why should this be considered?	It's a comprehensive tool suite. It covers both incident response tools and forensic tools

Conclusion: Forensics is often overlooked when thinking about incident response, but it's an important aspect for truly understanding root cause and attributing an attack to a specific actor. But, the SIFT Workstation is more than just forensics, it's a suite of incident response tools as well. SIFT Workstation is to cyber defenders as Kali Linux is to hackers.

[ran-dall]

"DIY"

We could always build our own tool.

Item	Description
URI	TBD
Price	TBD
Why should this be considered?	TBD

Conclusion: After doing a deep dive on VINCE, I don't think it is very hard to reproduce the tool; maybe a bit more vendor agnostic.