Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Plenty of tools exist for ticketing and tracking during an incident response. This report outlines the main requirements for incident ticketing/tracking tools and walks you through the decision-making process.
IR and incident handling can sometimes be a simple thing. A user reports a strange email, suspecting the email to be a phishing attack, right after an awareness training session due to a newfound paranoia. You investigate, mark it as a false positive and close
the incident. For this use case, using a simple spreadsheet to track your incidents will suffice.
But let’s look at another use case where an advanced persistent threat (APT) uses multiple attack vectors and several social engineering attacks, including data exfiltration, installing remote access Trojans, domain controller compromise and encrypting
several servers and critical workstations with ransomware. Email and IP telephony are down, the IR team is gradually growing as the investigation slowly uncovers the sophistication level of this case, and you are calling in a third-party forensics
team to help you get back control of your own infrastructure.
Such an endeavor requires managing multiple pieces of information that can be very complex and sometimes unstructured. During the investigation, the IR team gathers and analyzes evidence from all affected assets and can produce many pages of data as a
result. To ensure the completeness and consistency of the investigation, automated computer software can help track the incident across all the IR stages.
When laying out the requirements for the system, you should consider an incident response tool’s ability to:
Your chosen InfoSec ticketing system should, but are not limited to, support the following:
IR tools are often the target of adversaries. If they get access to them, they will find out what you know about them and what steps are you taking to mitigate their attack. Your incident tracking tools should contain safeguards necessary to prevent unauthorized
modification of information during its processing, storage and transmission. The resiliency of the incident ticketing system must be ensured by implementing the following security practices:
RTIR is an open-source web-based application that can be used in any environment and with any device. It helps manage the whole lifecycle of incidents and allows for customizations and integration with external tools for analysis.
RTIR can correlate key data from incident reports (from people as well as automated tools) to find patterns and link multiple incident reports with a common root cause incident. It is managed by Best Practical, a commercial entity, and is licensed under
the GNU General Public License.
OTRS is a commercial ticketing and process management system that allows for automated workflows that are custom designed for security. It can integrate with third-party tools for detection, analysis and monitoring, and it also allows for automated processes
and notifications for quick response. It supports automated security alert processing to inform you immediately about a security breach, and it provides instructions for dealing with it. With OTRS, all incidents and resolution steps are documented,
and comprehensive reports can be produced.
TheHive is an open-source security incident platform that is integrated with MISP and contains automation of some analytical operations using Cortex, which was built by TheHive and contains several analyzers like VirusTotal, PhishTank, Shodan and many
others. Cortex manages these autonomous tools right inside TheHive and allows for their automation. TheHive supports all six stages of IR, and lets you break down individual cases by tools or by processes in your playbook. It supports logging and
tracking of your incident process, along with the ability to upload indicators of compromise (IoCs) to your case. After adding your IoCs, you can run Cortex and the tools in it to enrich your data using many analyzers and responders.
The best choice for you depends on your budget, security maturity level and the depth of your intended investigations. RTIR and OTRS offer solid incident tracking systems with paid support (as of this writing). On the other hand, TheHive offers high scalability,
customizations and embedded analyzers for quick and automated analysis.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.