When you think of incident response, there are two key factors. The incident itself, and the need to respond quickly and effectively. You need to have an incident response toolkit that contains everything you need to be able to perform investigations and forensic analysis with speed, accuracy and above all, ease.
Nobody wants to be struggling with a script that constantly needs to be changed. No analyst wants to suffer separate, disparate tools, each with its own quirks and limitations. Without the capability to integrate tools and functions, and unify the output in a single view, your incident response process will become a longer, more laborious, and more timely exercise with you likely missing some valid artifacts or data.
Today, we would like to focus on one of Carbon Black’s partners – ContextIS, who is not only a frequent end-user of Cb Response for their breach investigations, but also very active in the developer community, providing custom scripts, detections and valuable feedback.
Today, we are highlighting a tool ContextIS has developed in-house, and is making widely available to the entire Cb Community – Cb Response Command Line Interface (CbRCLI). ContextIS is making the source code to this tool available on their GitHub and actively welcoming contributions. Their repository is located here https://github.com/ctxis
CbRCLI is a tool which ContextIS incident responders have developed and refined over a number of investigations, primarily born out of two use cases:
1) Script re-use and reconfiguration on the fly
2) API access for other 3rd party tools that ContextIS utilise in their investigations.
CbRCLI is just that – a text-based interface for Cb Response. In environments where systems may be locked down (or should your incident responders prefer a more Linux command shell type interface) then CbRCLI would be the best way forward.
CbRCLI (currently) allows for the following:
– Autocomplete of input and options
– Searching across Processes, Binary and Sensor information
– Choosing which columns to view in a dataset
– Allowing for on-the-fly Regex filters to be applied to columns
– Suppression of duplicate results
– Saving of Search Query and dataset filters
– Text and formatting options
– Specify a search timeframe
– Export of Results to a Tab Separated File
– Summary of data frequency (Most & least common values)
– Extended information on any result in a fieldset
– List of all file modifications or network connections for a query result. (Colour coded for Write/Delete)
– Ability to visualise the full process tree via a web browser using a quick launch based on row number
– Directly open a LiveResponse shell to the endpoint
If you would like to see CbRCLI in action check out this video
Otherwise check them out on our Developer Relationship Showcase located here
Or on ContextIS Github Repo at https://github.com/ctxis
Read the news release here.