I'm the only IT person at a company with about 45 employees, and I'm trying to compile a comprehensive set of tools to use during a cybersecurity incident. I want tools that aid in active breaches, including threat detection, investigating compromised endpoints or network activity, analyzing logs and traffic, isolating systems, and responding/remediating. We have an incident response plan, but without the right tools during a crisis, the plan won't be effective. What do you recommend?
5 Answers
It's crucial to have a solid Incident Response plan that details how to classify incidents, who takes charge during a crisis, and how to communicate with leadership. Document everything thoroughly for future reference. CISA has some excellent resources to help you get started and ensure you're prepared before a real incident occurs!
In my experience, Velociraptor is great for analyzing and monitoring workstations after a ransomware attack. I've also used Crowdstrike and SentinelOne for scanning post-infection. These tools really helped us get a grip on the situation.
Thank you for the suggestion!
When I assisted a company during a ransomware situation, we got their insurance involved, and they used Velociraptor to gather the necessary forensic data. It was invaluable in that scenario.
When managing an incident solo, I found GRR Rapid Response or Velociraptor to be lifesavers for collecting endpoint data. I also suggest Security Onion or Zeek for live network monitoring, which significantly increases your situational awareness. Plus, having tools on an external USB drive, along with backup contact info for vendors, made the chaos much smoother to handle.
Remember, some of your best tools are the people around you. Even if you're a one-person IT team, having someone manage communications or take notes can lighten the load. Also, ensure you have offline backups and a disaster recovery plan if things go south. Checklists for compromised accounts can be super beneficial, too. If you're covered by cyber insurance, definitely talk to them about best practices.
+1 for Velociraptor! It's a must-have.