These types of tools allow the incident responder to have visibility into the network, allowing them to establish a baseline for what it normally looks like, and to easily visualize when anomalous behavior is occurring. Observational technical tools include:
- Host and network-based intrusion prevention and intrusion detection systems (IPS/IDS): These tools are put in place to perform real-time monitoring of your network and server/workstation activity. These tools are typically signature-based and look for suspicious activity that matches a preconfigured signature. If a condition matches a signature the tool will either block (IPS) or alert (IDS). The open source tool examples are as follows:
- Suricata: https://suricata-ids.org/
- OSSEC: https://ossec.github.io/
- Bro IDS: https://www.bro.org/
- Snort: https://www.snort.org/
- Security information and event management (SIEM), log analysis, and log management: These tools provide visibility into your network, systems, and applications. As part of preparation, you will want to ensure that you have complete visibility into your information systems. The open source tool examples are as follows:
- Availability monitoring: These tools monitor whether information systems are up and responsive. An availability monitoring tool could identify a pattern of outages leading to the identification of an incident. The open source tool examples are as follows:
- Net flow analyzers: These tools examine the actual packets on the network and can be used to inspect for anomalous behavior. These tools can inspect any point on your network, including your boundaries. The open source tool examples are as follows:
- Wireshark: https://www.wireshark.org/download.html
- NfSen, Nfdump: http://nfsen.sourceforge.net/ , http://nfdump.sourceforge.net/
- ntop: http://www.ntop.org/get-started/download/
- Web traffic analysis: These tools monitor and log various kinds of traffic passed between a client and a server. These tools will allow you to analyze traffic patterns, especially in HTTP traffic streams between web browsers and web servers. The open source tool examples are as follows:
- IPFire: http://www.ipfire.org/
- Squid proxy: http://www.squid-cache.org/
- Vulnerability scanners: These tools identify vulnerable systems on your enterprise network and include potential remediation for vulnerabilities identified as part of a vulnerability scan. The open source tool example is as follows:
- OpenVas: http://www.openvas.org/