Proactive Detection and Response T&D

Value Chain

A guiding principle in breach response that focuses on protecting the business value chain

Exposure

A guiding principle in breach response that involves identifying leaked data to understand the exposure level

Future Risk

A guiding principle in breach response that requires documenting the attack path and detection gaps to mitigate future risk

Investigation Lead

A role required in large scale incident response to coordinate repeatable, well-defined tasks for analysts

Preparation

The IR cycle phase where you ready the environment, establish taskforces, and engage external entities

Identification and Scoping

The IR cycle phase where you confirm the nature of the attack and define affected systems

Containment/Intel Development

The IR cycle phase where you use active defense to limit attacker movement while remaining undetected

Eradication/Remediation

The IR cycle phase where you perform a coordinated, one-time removal of the attacker after the investigation

Recovery

The IR cycle phase where you resume normal business operations, which can be integrated with remediation steps

Lessons Learned/TI Consumption

The IR cycle phase where you finalize case documentation and conduct improvement workshops

Active Defence

A strategy with the objective to slow down attackers during the containment phase of an incident response

Active Hunting

A strategy that proactively identifies visibility gaps and prepares for attacks by assuming a breach has already occurred

Cyber Deception

Traps to distract attackers with false data, ideally for large-scale environments

Bit Flipping

A cyber deception technique that changes file magic headers

Zip Bombs

A cyber deception technique that uses overly large uncompress archives

Fake Mail

A cyber deception technique that populates victim email with fake data

Canary Tokens

Files, folders, links or URLs that throw an alert when accessed

Honeypots

Simulated machine services used as a cyber deception technique

Security Onion's Intrusion Detection Honeypot

An example of a honeypot tool

Honeyswarm

An example of a honeypot tool

Deutsche Telekom's T-Pot

An example of a honeypot tool

Thinkst

An example of a canary token tool

MITRE Engage

An example of a canary token tool

Preparedness

A key principle in enterprise IR that involves documentation, training, and rehearsing with the team

Collaboration

A key principle in enterprise IR that focuses on communication and team coordination

Speed

A key principle in enterprise IR that emphasizes the ability to respond quickly

Flexibility

A key principle in enterprise IR that requires the ability to adapt and adjust response

Continuous Improvement

A key principle in enterprise IR that involves reviewing and evaluating effectiveness

Horizontal Visibility

The percentage of devices and networks you can see

Vertical Visibility

What you see on the devices and networks you cover

Always-on Visibility Stack

Visibility tools that include EDR, Netflow, and SIEM

On-demand Visibility Stack

Visibility tools that include PCAP and Forensic Agents

IR Funnel

An efficiency strategy that starts with a large number of machines, narrows down, then performs deep-dive investigation

Resource Pools

A flexible efficiency approach that uses a set of tasks defining the resources needed

Network Sweeps

A resource pool task type used in incident response

Data Stacking

A resource pool task type used in incident response

Host Triage

A resource pool task type used in incident response

Malware Analysis

A resource pool task type used in incident response

Deep-dive Forensics

A resource pool task type used in incident response

IR Lead

The role that controls the investigation from start to end, manages the Spreadsheet of Doom, and runs status briefings

Analyst

The role that fulfills tasks assigned by the IR lead, performs hunting tasks, and supports IT

Malware Analyst

The role that dissects malware and extracts IOCs

Intel Analyst

The role that ingests all investigation data, advises analysts, and develops knowledge bases about adversaries

Sweep/Hunt

A predefined task type in incident response resource management

Triage

A predefined task type in incident response resource management

Deep Dive

A predefined task type in incident response resource management

OWA

A predefined task type in incident response resource management

Persistence Stack

A predefined task type in incident response resource management

Crew Resource Management (CRM)

Originally used in aviation, it aims to reduce information loss during urgent situations and is applied to incident response

Mission Analysis

A CRM principle ensuring short-term, long-term, and contingency plans are available

Assertiveness

A CRM principle involving willingness to actively participate, state, and maintain a position until disproven

Decision Making

A CRM principle requiring informed decisions in a logical and understandable way

Communication

A CRM principle ensuring clear information, instructions, or commands

Leadership

A CRM principle involving the ability to direct and coordinate activities

Adaptability and Flexibility

A CRM principle requiring the ability to alter the course of action based on new information

Situational Awareness

A CRM principle measuring how accurately the picture matches reality

10 for 10

A technique involving 10 minutes to evaluate situations during incident response

T.E.A.M.

Time out, Evaluation, Anticipation, Message - a technique to improve communication and team coordination

Aurora

IR case tracking software that scales and provides nice visualization features

DFIR-IRIS

IR case tracking software that tracks artifacts and timelines in a web app and can bulk upload via CSV

KAPE

A free triage collection and post-processing application written by Eric Zimmerman, designed for Windows only with crowd-sourced target files

Velociraptor

An open source tool for triage acquisition that can run as standalone collector or persistent, supporting multiple platforms

Windows.Triage.Targets

The Velociraptor artifact that replaced Windows.KapeFiles.Targets

Server.Import.Extras

The Velociraptor artifact that enables the Windows.Triage.Targets artifact

Server.Utils.ImportCollection

The Velociraptor artifact used to ingest triage zip data into the server

Windows.System.Pslist

The Velociraptor artifact used to collect list of running processes

Windows.Network.NetstatEnriched

The Velociraptor artifact used to collect list of active network connections

Windows.System.DNSCache

The Velociraptor artifact used to list the DNS cache

SOAR

Security Orchestration, Automation, and Response platforms that help security teams manage workloads through automation

dfTimewolf

A tool designed to chain together modules in a recipe to accomplish forensic processing jobs, developed by Google IR team

TimesketchExporter

A dfTimewolf module that exports sets of plaso or csv to timesketch

TimesketchEnhancer

A dfTimewolf module that enhances timesketch with additional reporting

LocalPlasoProcessor

A dfTimewolf module that processes list of file paths with plaso

SCPExporter

A dfTimewolf module that sends files via SCP

AWSCollector

A dfTimewolf module that creates an analysis VM and copies AWS volumes to it for analysis

AWSLogsCollector

A dfTimewolf module that reads logs from AWS account

AzureCollector

A dfTimewolf module that creates an analysis VM and copies Azure volumes to it for analysis

GoogleCloudCollector

A dfTimewolf module that creates an analysis VM and copies GCP volumes to it for analysis

GCPLogsCollector

A dfTimewolf module that collects Google Cloud Platform logs

OpenRelik

An open-source, Apache-2.0 licensed platform specifically designed to streamline and enhance collaborative digital forensic investigations, developed by Google IR team

Node-RED

A flexible IT framework designed for flow-based programming, originally designed for IoT use

Plaso

A traditional timeline analysis tool used with log2timeline

pinfo

A plaso tool used to retrieve information from plaso storage file

psort

A plaso tool used to filter, sort and process the plaso storage file

Timesketch

An open-source tool from Google IR team for collaborative timeline analysis, powered by elasticsearch

Sketches

A Timesketch concept that groups one or more timelines in a case

Timelines

A Timesketch concept that holds datasets based on timestamp

Stories

A Timesketch concept that allows analysts to write the narrative of their findings

hashR

A tool that provides hash sets of known-good and known-bad files for filtering and enrichment

Context Links

A Timesketch feature that enables quick lookups for IOCs on sites like VirusTotal, URLhaus, and Alien VaultOTX

timesketch_importer.py

A CLI tool for importing timelines into Timesketch