Using Existing Tools to Facilitate Incident Response



Part 7 of our Field Guide to Incident Response series offers tips for using your existing security tools to facilitate incident response efforts.

As more organizations are starting to implement incident response programs, many wonder what tools are available to support incident response. The good news for security teams is that many of your existing tools offer functionality that will be beneficial for forensics and other incident response tasks. Here are a few of the ways you can leverage your existing IT and security tools to facilitate incident response.

Detect Threat Actors through Antivirus Logs

Your good ol’ antivirus solution may only detect 10 to 15 percent of malware, but your antivirus logs may contain critical indicators of the attack.

When threat actors break into your environment, one of their first objectives is to acquire passwords by running a credential dumping program. Your antivirus might detect this activity the first time and block the program from executing. But further executions of different credential dumping programs may go unnoticed, so it’s important to alert on any activity associated with these types of malicious tools. Having the log of the first attempt is critical because that might be the single thread that you need to pull and unravel to identify a potential incident.

SIEM Logs Can Often Tell the Story

A centralized SIEM that ingests logs from all of your security systems – such as antivirus, firewall, intrusion prevention systems, data loss prevention, is a critical tool.

A SIEM enables you to research across all devices within your enterprise to identify malicious activity and enable you to trace back and determine how a potential threat gained access. What boxes did they touch? What firewall did they go through or what data leak prevention logs may have been generated when they were on a system? Incident Responders need to answer these types of questions and having a SIEM will make it easier in doing so.

DLP Logs: Show Me the Data

Data loss prevention solutions provide deep visibility into data movements and system-level events, making them another valuable source of forensic information for incident response.

Reviewing DLP logs can help you drill further into potential incidents or threat activity uncovered in your SIEM logs or earlier in your incident response process. These logs are a valuable tool in determining the motivation of the threat actors as well as what data may have been targeted or compromised in the incident. Some DLP solutions will even capture any process executions in their logs as well, another valuable piece when putting together the puzzle of “what happened?” in a security incident.

In a previous post I also discussed how Proxy, Windows, Antivirus, and Digital Guardian logs can come in handy when threat hunting – many of these features can be dual use for incident response, so check out that post and consider incorporating those tools into your IR processes as well.

For more incident response tips, download our free eBook, The Incident Responder’s Field Guide – Tips from a Fortune 100 Incident Responder.

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist
Tim Bandos

WHITEPAPERS

The Incident Responder's Field Guide

Tim Bandos

Tim Bandos, CISSP, CISA is vice president of cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.