Must-have tools for handling a cybersecurity incident?

Posted by YellOBrinjal@reddit | sysadmin | View on Reddit | 17 comments

Hey all, I’m the sole IT person for a company with around 45 employees, and I’m trying to put together a solid set of tools (open-source or paid) to use during a cybersecurity incident.

I’m not just looking at prevention, but specifically tools that help during an active breach; things like detecting threats/breach, investigating compromised endpoints or network activity, analyzing logs/traffic, isolating systems, and actually responding/remediating. We do have an incident response plan, but without an active toolset during a live scenario, the plan doesn’t mean much.

Any suggestion?

[-]

Kumorigoe@reddit

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.

Do Not Conduct Marketing Operations Within This Community.

It is not acceptable to advertise a product, service, Blog or FOSS Project within this community outside of authorized threads.
It is not acceptable to perform product research or market research within this community without permission.
The Reddit advertising system exists to help you reach out to new or existing customers.
Product Representatives are free to discuss their product in the context of an existing, naturally-occurring discussion. Astroturfing is not permitted.
As always, users must disclose any affiliation with a product.
Content creators should refrain from directing this community to their own content.

Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs

If you wish to appeal this action please don't hesitate to message the moderation team.

[-]

Ok-Tomorrow-7591@reddit

you are thinking about it the right way tbh. a plan without actual tools during an incident doesn’t help much. i’d usually look at a mix of EDR (like CrowdStrike/SentinelOne), some kind of SIEM for visibility, and something for log aggregation. also having good backups + a way to verify they’re clean is super important when things go wrong.

curious what your current setup looks like?

[-]

YellOBrinjal@reddit (OP)

For context, our current setup is fairly basic: we have 3 on-prem servers with both local and cloud backups (including system state), all users are in a Microsoft environment, and we’re running a hardware firewall with a mixed network stack including Cisco, SonicWall, and UniFi equipment.

[-]

jackalsclaw@reddit

Without diving into what you are protecting and what you have already, here is some thoughts:

Some of the best tools you have in emergency are other people, Even if you are the only IT person, having a manager take over communication or having someone else take notes can be a real help. If it becomes a a legal or compliance issue, make sure they aren't relying on you instead of a lawyer.

Make sure that you have offline or imutable backups. And a good DR plan if the breach wreaks things.

Checklists for things like compromised accounts are helpful.

If you have cyber insurance, ask them about this.

Do you have a plan for it this happens when you are out of reach?

[-]

YellOBrinjal@reddit (OP)

But yes, for the last thing you asked, we will create some sort of hierarchy to report to when I am out of reach. Thank you.

[-]

AlexG2490@reddit

An Incident Response plan that details how you will:

Classify everyday events that occur as active incidents
Respond to the incidents including
Who will be the leader and make the final decisions about what to do
Who will be responsible for communicating with senior leadership about the issue and how frequently they will provide updates
Who will be responsible for responding to the technical issues from a hands-on-keyboard perspective
Who will be responsible for recording everything you and your team do in a log so you can refer back to it in the event it's needed for forensic, legal, liability, or insurance purposes.
Declare that the incident is over and return to normal operations
Complete an After Action Report that will detail what you learned, any issues that came up, and how they will be addressed to prevent them happening in the future.

CISA provides some guidance that can help you get started here: https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf

[-]

YellOBrinjal@reddit (OP)

Thank you.

[-]

Deal_me_in_784@reddit

The thing nobody talks about enough is having a pre-configured out-of-band communication channel ready before anything happens 🥲when your email is potentially compromised, coordinating response over the same systems you’re trying to protect is a nightmare. Signal group, anything really. Learned that the hard way.

[-]

Beneficial-Gift5330@reddit

Excel for tracking the details Outlook for emailing your bosses Chrome for applying for new jobs with a slick ui and a good password manager

[-]

Beneficial-Gift5330@reddit

Also since you’re a bot, deleting your own source code and agent

[-]

YellOBrinjal@reddit (OP)

Not so much beneficial-gift!

[-]

ee328p@reddit

What do you mean? 🤔

[-]

AmazingHand9603@reddit

When I had to manage an incident solo, I found that having ready access to something like GRR Rapid Response or Velociraptor for endpoint data collection was a lifesaver. I would also include the Security Onion or even just Zeek for live network monitoring, and this enhances situational awareness. If you are handling isolation, managed switches or EDRs with remote isolation features can help you instantly contain affected endpoints. I also recommend having an external USB drive with key tools, a password vault, and contact info for key vendors and your insurance people. The less you have to Google in the moment, the better, and it might make things a bit smooth.

[-]

nocturnal@reddit

When I was called in to help a company with a ransomware attack, we got their insurance involved, and they utilized Velociraptor to grab the forensic data.

[-]

dloseke@reddit

Speaking from one incident, Velociraptor was used for analyzing and monitoring workstations after a ransomware incident. Also have used Crowdstrike or SentinelOne post infection for scanning and monitoring.

Probably worth asking around in r/computerforensics as Google brought me to this thread.

https://www.reddit.com/r/computerforensics/s/KufOjYuG7U

[-]

gixo89@reddit

+1 for Velociraptor!

[-]

YellOBrinjal@reddit (OP)

Thank you sir!