You've successfully subscribed to RedHeadSec
Great! Next, complete checkout for full access to RedHeadSec
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.
New Year, New Case Management

New Year, New Case Management

in

I thought it would be appropriate for the first post of the new year to discuss some of the things that have been on the table regarding case management. Our team has been demoing and testing various solutions from open source to commercial products. One of the new kids of the block of open source case management systems is IRIS (Incident Response Investigation System).

"IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level."
🖥️
Version as of 1/30/22: v1.3.0

Overview

IRIS is built with python and dockerized for easy setup for testing. You can find it here here. One key thing to note is if you do not set up a password in the docker .env files, the password is randomly generated during the build process, and will show up in the app logs which could be buried in terminal history if you're not careful!

One logged in as administrator, you will have a dashboard with an example case already created and open for you. From here, you can take a look at the left side tool bar to see various actions you can take. You can go into case to work with notes, iocs, and assets. You can use the search function to run global searches for iocs or notes across all cases, with the ability to use wildcards for partial searches. Activities will show all user actions recently such as added cases, deleted assets, logins etc...

Looking at what we can do with cases, lets go over these actions.

Summary

The summary is the general consensus of the current case with a description or generally whatever you want here. This is where you can also generate reports or downloads activity reports for the current case. This takes markdown so you can format as needed. You can also use CTL+S to save as you type.

Notes

The notes page works in a similar function as the summary page, but allows what it calls "Groups" which allow you to make multiple groups where you can separate various notes by any topic or whatever fits the case.

Assets

Assets page allows you to add or upload files to fill out any assets related to the case such as computers, accounts, or any custom objects needed. You can also download this list later if needed. This page allows tagging and linking of IOCs along with showing analysis status such as "To be done", "Pending", or "Done".

IOC

The IOC tab works in a similar fashion just in terms of IOC based data. You can input manually or upload via the csv function or API. It allows you to give a value, type, description, tagging and will link to other cases that has that IOC in it, allowing you to see similarities between cases. This also sets TLP levels so that cases can not export out data that violates its assigned TLP level.

Timeline/Graph

IRIS allows you to build out events that can be incorporated into a timeline and graphing system for a better visualization of events.

Visualized

Graph - Billy bob is really John Cena

Tasks / Evidences

IRIS allows you to assign tasks to users and tracks progress per cases or global tasks. The evidence tab allows you to upload or manually add evidence files (currently not stored on the system) to be hashed and pull some basic data to be attributed to the case. This currently is not a full fledged system and probably the weakest feature currently.

Tasks

Evidences

Advanced Features

IRIS allows some advanced features such as working with custom modules via python pip libraries, adding custom case objects such as IOC types or Asset types, and templates for report exporting to suit whatever needs you may have. We also cant forget the extensive API documentation they have available allowing you to script and automate almost any UI based function into anything that your pyfu can muster.

Normally green tree pythons are coiled up neatly draped over a branch, and not doing very much at all. I like this photo because for once this specimen was awake and alert. I also like the single drop of water on the snake’s body (bottom right) which I only noticed later. Photo taken at Koala Gardens in Kuranda, Queensland, Australia.

Future Development / Desires

For a solution that is relatively new, IRIS has a solid foundation with some bright minds behind the project. I can see this being used internally by SOCs or IR teams especially once some of the planned enrichment integrations are built out such as MISP and VT. Also improvements to areas such as screenshots in notes, file handling and sample handling, and a community library of modules would be awesome to see. Given some more development time, I can see this being a high contender for teams looking to stay open source if commercial solutions are not an option. Big praise and thanks to the team working on IRIS and all the contributors to the project.

Roadmap:
https://dfir-iris.github.io/roadmap.html

Documentation:
https://dfir-iris.github.io/index.html