Your Open-Source Incident Response Platform
Move Over TheHIVE, Hello DFIR-IRIS
Incident Response Platforms (IRPs) are an essential tool for organizations of all sizes and industries, as they provide a centralized platform for managing incident response activities and help organizations respond quickly and effectively to cyber incidents. By using IRPs, organizations can reduce the impact of cyber incidents, minimize the risk of data breaches, and ensure compliance with industry regulations.
From my perspective, Incident Response Platforms (IRPs) are the second most crucial component of any Security Information and Event Management (SIEM) stack, following the ingestion of logs.
They provide a centralized platform for managing incident response activities, including threat detection, incident triage, incident investigation, and incident resolution.
- Incident triage: This can include analyzing the scope of the incident, the systems and data that may be affected, and the potential damage that could result.
- Incident investigation: This allows incident responders to quickly gather the information needed to understand the incident and make informed decisions about how to respond.
- Incident resolution: This allows incident responders to quickly and effectively respond to incidents, regardless of their severity or complexity.
- Compliance and reporting: IRPs also help organizations meet compliance requirements by providing the ability to generate incident reports and other forms of documentation required by regulatory bodies.
What Tools are Available?
Prior to a change in their licensing, TheHIVE was the premier open-source solution for our incident response needs. Unfortunately, the modification to the license at the end of 2022 resulted in a significant reduction of the features available in the free version of the platform.
While SOC teams scrambled to find a competent replacement, DFIR-IRIS remained at the ready, eagerly awaiting its chance to demonstrate its capabilities.
Thankfully the team behind DFIR-IRIS stepped up to save the day with a open-source Incident Response Platform.
In my opinion, IRIS checks off all the boxes when it comes to what features any Incident Response Platform must contain.
- Incident management: DFIR-IRIS allows incident responders to create, track, and manage incidents, including incident triage, investigation, and resolution.
- Evidence management: DFIR-IRIS allows incident responders to collect, preserve, and analyze digital evidence, including system images, network traffic, and log files.
- Reporting: DFIR-IRIS provides a range of reporting and documentation capabilities, including incident reports, case summaries, and timelines.
- Integration: DFIR-IRIS allows for the integration with various other tools, such as malware analysis tools, network traffic analysis tools, and forensic tools.
- Collaboration: DFIR-IRIS allows incident responders to collaborate and share information with other teams, such as incident response teams, forensic teams, and law enforcement agencies.
Automate Anything With Modules
In my opinion, the extended modules are the most compelling feature of IRIS. Modules are very similar to what TheHIVE achieves with Cortex’s Analyzers and Responders. IRIS modules are split into two types:
- Pipeline modules : Allow upload and process of evidences through modular pipelines (eg: EVTX parsing and injection into a database or data visualiser)
- Processor modules : Allow processing of IRIS data upon predefined actions / hooks. (eg: be notified when a new IOC is created and get VT/MISP insights for it).
The best feature of all is that these modules are simply Python packages that we can craft to perform any task we need to achieve.
Looking to investigate an IoC using MISP or Virustotal? You’re in luck — there’s a module available for just that purpose.
Or do you have a unique use case and need to craft your own? With a vision and some Python programing, you can achieve just that!
The SOCFortress team is putting effort into building modules for the whole community to enjoy, stay tuned!
Less Talk, More Do
IRIS is to be installed via Docker and the team has put together a compose file that runs 5 Docker services.
app - iris_webapp: The core, including web server, DB management, module management etc.
db: A PostgresSQL database
RabbitMQ: A RabbitMQ engine to handle jobs queuing and processing
worker: Jobs handler relying on RabbitMQ
nginx: A NGINX reverse proxy
With the magic of Docker, we can install and run all the services required by IRIS with a few commands.
I assume you already have docker installed, if not you can follow Docker’s install guides here: Docker Install Guide.
# Clone the iris-web repository
git clone https://github.com/dfir-iris/iris-web.git
# Checkout to the last non-beta tagged version -
git checkout v1.4.5
# Copy the environment file
cp .env.model .env
# [... optionally, do some configuration as specified in section below ...]
# Build the dockers
docker compose build
# Run IRIS
docker compose up
Wow, that was easy! With IRIS installed, you are now ready to connect via your browser and get started with your own open-source Incident Response Platform today!
FOLLOW THE VIDEO FOR ACCESSING YOUR LOGIN CREDENTIALS AND A SHOWCASE OF THE PLATFORM
Given the immense value that TheHIVE provided, I must admit, I was concerned about the possibility of constructing a comprehensive SIEM stack without it. Like many others, I was scrambling to find a tool that offered the same features of TheHIVE with the ability to be customized to fit any use case. Thankfully, the team behind DFIR-IRIS has developed an incident response platform that is not only fully open-source, but also offers a combination of built-in features and the ability to customize and create our own, providing a powerful and versatile solution for incident response.
DFIR-IRIS Discord: https://discord.gg/udqjsUjv
The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.
Professional Services: https://www.socfortress.co/ps.html