Tuesday, February 09, 2016

toolsmith #113: DFIR case management with FIR

#NousSommesUnis #ViveLaFrance

Bonjour! This month we'll explore Fast Incident Response, or FIR, from CERT Societe Generale, the team responsible for providing information security incident handling and response to cybercrime issues targeting  for Societe Generale. If you're developing a CERT or incident management team but haven't yet allocated budget for commercial case management tooling such as DFLabs Incman NG or CO3/Resilient (not endorsements), FIR is an immediate solution for your consideration. It's a nice quick, easy to deploy fit for any DFIR team in my opinion. It's built on Django (also one of my favorite movies), the Python Web framework, and leverages virtualenv, a tool to create isolated Python environments.
From their own README: "FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.
FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It's was tailored to suit our needs and our team's habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit."
I had a quick chat with Gael Muller who said that the story about why they created and open-sourced FIR is on their blog, and that one year later, they do not regret their choice to do the extra work in order to make it FIR generic and release it to the public. "It seems there are plenty of people using and loving it, and we received several contributions, so I guess this is a win/win situation."
FIR offers a production and development environment, I tested the development version as I ran it from my trusty Ubuntu 14.04 LTS VM test instance.
Installation is easy, follow this abridged course of action as pulled from FIR's Setting up a development environment guidance:
  1. sudo apt-get update
  2. sudo apt-get install python-dev python-pip python-lxml git libxml2-dev libxslt1-dev libz-dev
  3. sudo pip install virtualenv
  4. virtualenv env-FIR
  5. source env-FIR/bin/activate
  6. git clone https://github.com/certsocietegenerale/FIR.git
  7. cd FIR
  8. pip install -r requirements.txt
  9. cp fir/config/installed_apps.txt.sample fir/config/installed_apps.txt (enables the Plugins)
  10. ./manage.py migrate
  11. ./manage.py loaddata incidents/fixtures/seed_data.json
  12. ./manage.py loaddata incidents/fixtures/dev_users.json
  13. ./manage.py runserver
If not in Paris (#jesuisParis), you'll want to change the timezone for your location of operation, default is Europe/Paris. Make the change in /FIR/for/config/base.py, I converted to America/Los_Angeles as seen in Figure 1.
Figure 1
Control-C then re-run./manage.py runserver after you update base.py.
As you begin to explore the FIR UI you can login as admin/admin or dev/dev, I worked from the admin account (change the password if exposed to any active networks). You'll likely want to make some changes to create a test bed that is more relevant to your workflows and business requirements. To do so click Admin in the upper right-hand corner of the UI, it's a hyperlink to http://127.0.0.1:8000/admin/ as seen in Figure 2.

Figure 2
This is one incredibly flexible, highly configurable, user friendly and intuitive application. You'll find that the demo configuration options are just that, take the time to tune them to what makes sense for your DFIR and security incident management processes. I created test workflows imaging this instance of FIR was dedicated to CERT activities for a consortium of hospitals, we'll call it Holistic Hospital Alliance. I first modified Business Lines to better align with such a workload. Figure 3 exhibits these options.

Figure 3: Business Lines
Given that we're imagining response in a medical business scenario, I updated Incident Categories to include IoT and Medical Devices as seen in Figure 4. At teams these are arguably one and the same but imagine all the connected devices now or in the future in a hospital that may not be specifically medical devices.

Figure 4: Incident Categories
I also translated (well, I didn't, a search engine did) the French Bale Categories to English (glad to share), as seen in Figure 5.
Figure 5: Bale Categories
The initial Bale Categories are one of the only feature that remains that is specific to CERT Societe Generale. The categories provide correspondence between the incident categories they use every day, and the categories mentioned in the Basel III regulation. As a CERT for financials, they need to be able to report stats using these categories. According to Gael, most people do not use these or even know they exist, as it is only visible in the "Major Incidents" statistics view. Gael thinks it is better if people ignore this as these as they are not very useful for most users.

Now to create a few cases and enjoy the resulting dashboard. I added four events, three of which were incidents, including a Sev 3 malware incident (in FIR a Sev 4 is the highest severtity), a Sev 4 stolen credit card data incident, a Sev 2 vulnerable ICU machine incident, and a Sev 1 vulnerability scanning event as we see in Figure 6.

Figure 6: Dashboard

Numerous editing options await you, including the ability to define you plan of action and incident confidentiality levels, and granularity per unique incident handler (production version). And I'll bet about now you're saying "But Russ! What about reporting?" Aye, that's what the Stats page offers, yearly, quarterly, major incidents and annual comparisons, ready to go. Figure 7 tells the tale.

Figure 7: Stats
You will enjoy FIR, I promise, its easy to use, well conceived, simple to implement, and as free DFIR case management systems go, you really can't ask for more. Give a go for sure, and if so possessed, contribute to the FIR project. Vive la FIR et bien fait CERT Societe Generale! Merci, Gael Muller.
Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.

Cheers…until next month.

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...