Home > EnCase Enterprise > Automated Incident Response Suite

Guidance Software has engineered an incident response solution that integrates with alerting and content monitoring tools to field alerts and provide real-time response. It enables incident responders to zero in on compromised machines with unparalleled speed. The Automated Incident Response Suite (AIRS) fields alerts, filters out false positives and assesses whether a machine was actually compromised. As alerts are generated, a real-time "Snapshot" is taken of the target hosts. Immediate analysis from the source and target reveals event details.

For specific events, subsequent automated Snapshots are triggered shortly after the event to show attack results in time slices, revealing whether the event actually occurred, and if so, its impact and origin. The aggregation of IDS event data and EnCase® Snapshot data into a central location, in real time, gives incident responders, security analysts and others the information they need to truly understand whether an incident occurred and its impact.

• Analyze up to 30,000 computers per hour for running processes to help you understand which machines have been compromised, which machines are vulnerable to attack and where the compromise initiated — with 100% accuracy.
• Uncover hidden and deleted files, find and remediate zero-day events, identify and destroy hidden/rogue processes and hooks used by rootkits.
• Analyze and search multiple machines at the same time across the network, at speeds that dwarf those of competing technologies.
• Document the incidents in detail, then reach out to compromised systems and remediate without disrupting business operations.
• Rely upon software that has an unparalleled record in courts worldwide. This is why EnCase software is the "tool of choice" for law enforcement and regulatory agencies.

IDS/SIM/CMS Integration and Monitoring
Analysts select pre-defined conditions or create custom logic to query the event response repository at given intervals, for specific types of events. The alerting engine looks for events that meet specific criteria, such as a level-one alert or somebody running an unauthorized, hidden process with an outbound TCP connection on a certain port. With content monitoring tools (CMS), AIRS would query for issues, such as adult content, abusive employee behavior or intellectual property theft violation.

• IDS/SIM/CMS Systems Support: 
  • Intrusion Detection Systems ISS Site Protector, Snort
  • Content Monitoring Systems Vericept, Vontu
  • Security Information Management Arcsight
• Multiple Database Support: AIRS can monitor IDS/SIM/CMS systems that run over the following databases: SQL Servers 2000/2005, My SQL, Oracle and PostGreSQL.

Configuration and Filtering: The monitoring component monitors the IDS/SIM/CMS database for alerts it has been configured to respond to by the user. When one of these alerts is detected, the Monitor schedules a Snapshot/investigation to be taken of the machine that triggered the alert.

• Each event from the IDS/SIM/CMS goes through a two-step triage process to filter out false positives (configurable by the user) and assess whether a machine was actually compromised.
• As part of this triage, the investigator can set up filters to trigger on specific details of an IDS event such as
• Alert name
• Alert priority
• Alert time
• Source/destination IP
• Source/destination port
• IDS sensor name
• IDS sensor address
• For CMS events the user can set up filters on:
• Source/destination IP
• Category or policy name
• Priority
• Source/destination account

Incident Response Process
As alerts are generated, a real-time incident response process known as a "Snapshot" takes place to retrieve deep volatile data from target and attacker machines. The rich data retrieved allows investigators to determine whether machines have been compromised by a given event. In the case of CMS systems, AIRS performs a forensic, real-time verification of that event.

• Performs Snapshots/investigations on machines for which IDS/SIM/CMS reports an alert. Snapshot results are stored in the AIRS Database.
• Volatile Data Harvested by Snapshot:
• Open Ports
• All active processes: known, unknown and hidden
• Live Windows® Registry
• Services
• TCP network socket information
• Logged on user and users that have logged onto the machine
• Additional data can be added with modules (device drivers, open files, network cards, etc.)
• Depending on the severity of the event, as defined by the alert and the initial triage, EnCase automatically takes multiple Snapshots in timed intervals and provides system Snapshots of data across time to give you a detailed portrait of the precise impact of a computer attack against a machine or a set of machines.
• The nonintrusive EnCase Servlet can be deployed to machines that have been involved in an alert but do not yet have the Servlet, thus getting the Servlet out to the highest priority machines in an automated fashion.

Web-based Incident Analysis
The AIRS Web Reporter is a web application that provides investigators with a web-based interface that gives a clear view of the real-time, in-depth incident response information. Users simply need a browser to perform investigations. Investigators are given the ability to:

• View snapshot/investigation results, which includes
• Logged on user information
• Machine name
• Operating system
• A list of running processes
• Command line arguments, hash value and ports for each process
• Approved or unapproved “status” for each process as specified via EnCase Enterprise
• A top-level list of all snapshots taken
• For each individual target a list of snapshots taken to date for performing analysis of the target at different points in time
• View IDS/CMS event information by querying the IDS/CMS system. This provides a convenient all-in-one interface so the user doesn’t have to go back and forth between the alerting system and AIRS during investigations.
• View target queue information to see which targets are scheduled for investigation.
• View the list of IDS/CMS conditions that have been created and used in filtering events.

Report Creation
Allows the user to create Snapshot-related reports in HTML and Excel format and optionally email them to specified parties.

• The EnCase reporting engine gives analysts the ability to generate meaningful and very specific HTML and Excel reports, based on the Snapshot response data. There are also a number of preconfigured reports to help narrow down the information relevant to a particular series of events.
• The AIRS Web Reporter interface also allows for high-level reports to be created which summarize unapproved processes that were detected and provide reports on IDS and CMS events.

Administration
AIRS Database Administration: This component allows the user to create the AIRS Database which is used for storing investigation results. It also provides maintenance functions, such as configuring automatic, periodic purging of old records or running a one-time purge of records older than a certain date.