W H I T E

PA P E R

The AlienVault Incident Response Toolkit:

Putting the OODA Loop to Work in the Real World

When it comes to data breaches, most agree that its not a matter of if, but when. In a recent report,
an astounding 76% of surveyed organizations admitted being victims of successful cyber attacks in
2015 up from 70 percent in 2014 and 62 percent in 20131.
Thats why its so essential to have the right tools in place to spot an event as soon as it happens, as
well as be able to respond effectively to minimize damage and recover quickly.
We believe the best way to approach Incident Response is to
deploy the OODA Loop method, developed by US Air Force
military strategist John Boyd. The OODA Loop focuses on the
key essential tactics for responding to any crisis: Observe,
Orient, Decide, and Act.
In this paper, youll read about a few specific use cases where
AlienVault technologies and services help you Observe,
Orient, Decide, and Act for effective incident response.
When observing for potential risks and impending threats, there are three essential success factors
that should guide your activity as an incident responder.

Observe from all angles.

Apply prioritization based on the latest threat intelligence.
Continuously fine-tune security monitoring tools.
1 http://cyber-edge.com/2016-cdr/

W H I T E

PA P E R

Observe from all angles with AlienVaults Unified Security

Management (USM) platform
AlienVault USM provides the 360-degree view that you
need for full situational awareness. By combining and
analyzing data from native capabilities (e.g. netflow
analysis, vulnerability scans, host- and networkbased IDS) as well as the event logs from your assets,
AlienVault USM powers observation from all angles.
Since attackers will probe multiple systems as well as
multiple layers of your defense, its essential that youre constantly observing activity in all of these
areas, across all your devices. Additionally, each of these defensive layers should be analyzed
within a unified context, which is precisely what the AlienVault USM platform gives you.

Apply prioritization with emerging AlienVault Labs Threat Intelligence

In order to know when an attack is happening, we need to know what we should be looking for.
That brings us to Lockheeds Martins Cyber Kill Chain2. The Cyber Kill Chain represents the steps
that any attacker needs to deploy in order to compromise a system in order to steal data.
At AlienVault, weve simplified the 7-step cyber kill chain into a 5-step process based upon
AlienVault Labs research into emerging attacker tools, techniques and tactics. The AlienVault
Labs threat intelligence fuels the USM platform with automated correlation rule analysis using key
Indicators of Compromise (IOC) data and automated event classification.
AlienVault Labs is our team of threat
researchers who deliver regular
updates to USMs built-in security
controls. These updates to correlation
directives, intrusion detection
signatures, vulnerabilities, report
templates, response templates,
and plugins for third party devices
and applications ensure your USM
deployment is able to detect the
latest threats.
In order to help you more effectively prioritize each security event, AlienVault USM automatically
classifies each event that occurs within your network according to this simplified Cyber Kill Chain.

2 http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
2

W H I T E

PA P E R

After all, when your goal is to hunt down attacks quickly, to minimize damage and rapidly recover,
quick prioritization is the key to your success. By automating event analysis and classification,
AlienVault USM arms your security team with automated prioritization for effective incident
response.

Continuously fine-tune security monitoring tools.

As you discover more about patterns in your network traffic, user activity, and service availability
statistics, you may want to fine-tune your monitoring tools to ensure that youre capturing all the
information youll need to investigate incidents. Moreover, as new threats emerge, youll want to
make sure that youre checking for these key indicators such as file checksums or vulnerability
signatures.
Each of AlienVault USMs combined security monitoring capabilities can be easily reconfigured on
an individual basis to give you precisely the observational control you need to detect and stop
data breaches.
Heres an example of how you can use the observational data collected and analyzed by AlienVault
USM to continuously reconfigure your monitoring toolkit.
What happened? A new SSL vulnerability has been announced.

What do you do?

First, check your latest vulnerability
report to see if any of your assets
are vulnerable. Second, evaluate the
SSL checks that are enabled within
the vulnerability database. Third, run
another vulnerability scan and review
the report findings. Finally, review
your upcoming scheduled scan
jobs, verify the schedule details, and
forward the schedule to your help
desk so that it gets added to the IT
maintenance calendar.
Other examples of fine-tuning your controls include:

Using policies to take different actions with certain events (e.g., bypass the SIEM function and
go straight to logger) or to suppress entirely (e.g., you dont care about alerts that identify the
use of Dropbox on employees PCs)

Limiting the data a HIDS agent collects, changing the verbosity of how an asset logs, or
disabling services on a device to increase performance and/or throughput

W H I T E

PA P E R

Completely changing the USM architecture to improve performance or segregate data (such
as breaking out an All-in-One appliance into its separate components--Server, Sensor, and
Logger)

Observe: Summary
Key Takeaway #1: Observe from all angles.
How does AlienVault help? The AlienVault USM platform unifies the following distinct layers of
security monitoring telemetry to provide a full 360-degree view of your assets:

Emerging threat detection File Integrity Monitoring and host-based and network-based IDS,
powered by IOCs from AlienVault Labs and AlienVault OTX3, alert you to emerging threats for
immediate response.

Behavioral monitoring Netflow analysis and service availability monitoring enable you to
spot suspicious activity and collect forensic evidence with full packet capture.

Vulnerability assessment Network vulnerability scans and continuous vulnerability

monitoring help you identify risks and prioritize remediation fast.

Event log analysis / SIEM Unifies and analyzes observational details across your entire
infrastructure. This includes your firewalls, servers, routers, domain controllers, cloud
workloads and more to fuel your incident response program.

Key Takeaway #2: Apply prioritization with emerging AlienVault Labs Threat Intelligence
How does AlienVault help? AlienVault USM maps each security alarm against the Cyber Kill Chain
so that security analysts understand the intent of the malicious behavior and know which incidents
to investigate first. AlienVault Labs Threat Intelligence powers this prioritization by monitoring and
analyzing the latest attacker techniques, tools, and tactics and applying this analysis to our rules
engine.

Key Takeaway #3: Continuously fine-tune security monitoring tools.

How does AlienVault help? Thanks to AlienVaults modular approach to security monitoring, our
USM platform is designed for greater flexibility in adjusting each security monitoring capability to
better reflect each organizations specific observational requirements.

3 OTX is the worlds first truly open threat intelligence community that enables collaborative defense with open access, collaborative research,
Integration with AlienVault USM and OSSIM, as well as ability to export IoCs to almost any security product. OTX enables everyone in the OTX
community to actively collaborate, strengthening their own defenses while helping others do the same. To learn more, go to
4
https://otx.alienvault.com

W H I T E

PA P E R

All of the information youve collected during the observation phase is essential for detecting a
security event that requires your investigation. But information alone, without any context, is not
sufficient for closed-loop incident response.
Thats where the Orient phase comes in.
Contextual information is essential for orientation. All of the data in the world is useless without
having the necessary context to understand the significance of that data. For example, a system
outage in your data center could either be an innocuous event (unexpected power failure) or
something more serious (denial of service attack). Without the necessary context to orient you for
example, an email announcement from your ISP about the outage - you cant implement an effective
response.

Your incident response goals during the Orient phase include:

Determine

scope and impact of attack based on the latest threat intelligence.

Review

event in the context of other activity on network to establish a timeline.

Investigate

source of attack to determine attribution (if possible) and any additional intelligence
that can assist decision-making.

Determine scope and impact of attack based on the latest threat intelligence.
AlienVault Labs and AlienVault Open Threat Exchange (OTX) work together to monitor and analyze
the latest attacker tools and tactics, and then convert this intelligence into automated actions (e.g.
correlated rules, alarms, and tickets) within AlienVault USM so that you can effectively respond.
These tools enable you to quickly determine which assets are affected and the severity of the
activity or attack.

W H I T E

PA P E R

Heres a specific example. In your AlienVault USM demo environment4, you see an alarm for an
Exploitation and Installation event. In investigating further, you see that this involves an asset
thats running a vulnerable version of Java. And it may not be the only asset on the network
thats vulnerable. With AlienVault USM, you quickly review all events across all your assets to see
what other systems have this type of activity and vulnerable configuration. In addition, youve
automatically created an Asset Group based on these characteristics5 so that you can remediate
all of these vulnerabilities as a group, and can continue to monitor them to validate these fixes.
This dynamic watchlist enables you with the essential context for effective closed-loop incident
response.

Review event in the context of other

activity on network to establish a
timeline.
AlienVault USM provides a unified
timeline for all events to easily
make connections between and
among disparate but related
events.

4 Our USM demo environment is available for you to play with as well. Simply point your browser to: https://www.alienvault.com/live-demo-site
for hands-on AlienVault USM action.
5 In our example, Im using vulnerability or CVE data to automatically create an Asset Group, but you can use any characteristic or variable
that exists in our taxonomy to create an Asset Group. Examples include:
Asset Value
Network
Software running on assets
Sensor that monitors assets
Device type of asset
Open port or services running on assets
Location of assets

W H I T E

PA P E R

By viewing all events across a visual timeline, you can easily scan all of the security events and
activity across your network without having to consult multiple consoles, apps, or databases.
The simplified data visualization approach makes it easy to make quick conclusions about which
events require further investigation. In order to provide enough context yet not overwhelm your
users, who are already overworked and under appreciated, AlienVault chose to use a simplified
design for USMs event timeline. The bigger the circle, the more types of events that have occurred
within that category, and within that time frame.

Investigate source of attack to determine attribution (if possible) and any additional intelligence that
can assist decision-making.
According to cyber security expert Bruce Schneier6, strong attribution can lead to deterrence. It
can also provide the essential context to help detect and prevent future attacks and attackers that
may share those same motivations, tools and techniques. The tight integration between AlienVault
OTX and AlienVault USM enables our customers to use this intelligence for more reliable incident
response.
Heres an example from the trenches. In the AlienVault USM demo environment, we dont mind
a bit of poking and prodding from the neer do-wells in cyber space7. In fact, it helps us capture
interesting events that we can then share with our customers and partners. As you can see in this
screenshot, AlienVault OTX has identified that the source of this bruteforce authentication attack8
has an IP address associated with a known bad actor. By clicking on the Yes above, you can
review additional information collected by AlienVault OTX about this particular attacker.

6 https://www.schneier.com/blog/archives/2015/03/attack
7 As an aside, youre probably not surprised to hear that a lot of consumer goods are made in China. I wouldnt call cyber attacks a consumer
good, but I can say that there are plenty that are made in China.
8 Bruteforce authentication attacks are one of the most commonly used Delivery & Attack tactics. And since the SSH protocol has a history of
vulnerabilities, its a common target.

W H I T E

PA P E R

Additionally, you can search for this particular IP address across all of your events to find any
additional activity that may have impacted additional assets.

ORIENT: Summary
Key takeaway #1: Determine scope and impact of attack using the latest threat intelligence.
How does AlienVault help? AlienVault Labs Threat Intelligence orients USM customers by identifying
the latest threats, resulting in the broadest view of threat vectors, attacker techniques and effective
defenses. AlienVault OTX widens the threat context, by using crowd-sourced and communityverified threat intelligence on the latest attacks. Together AlienVault Labs and AlienVault OTX
convert this intelligence into action within the USM platform.

W H I T E

PA P E R

Key takeway #2: Review event in the context of other activity on network to establish a timeline.
How does AlienVault help? AlienVault USM provides a unified timeline for all events to easily make
connections between and among disparate but related events. The simplified design and userfriendly event viewer makes it easy to see events within a contextual timeline to assist in effective
decision-making.

Key takeaway #3: Investigate source of attack to determine attribution (if possible) and any additional
intelligence that can assist decision-making.
How does AlienVault help? Working with other cyber security industry leaders like Kaspersky on
projects like Operation Blockbuster9, AlienVault Labs works tirelessly to uncover and analyze details
on attack campaigns for reliable attribution. Community-driven initiatives, like AlienVault OTX and
OTX pulses (collections of IoCs generated by the OTX community) enable defenders to describe
and submit any type of online threat including malware, fraud campaigns, and even state sponsored
hacking. These discoveries are tightly integrated into AlienVault USM in the form of correlated
directives for automated event analysis and more informed incident response.
The first two stages in the OODA loop Observe and Orient - are all about security monitoring
essentials. Gathering as much data as possible and then placing it in the context of local and global
risk so that you can make the best decision possible.

9 For more information on Operation BlockBuster, take a look at AlienVault Labs Jaime Blascos blog article: Operation BlockBuster unveils
the actors behind the Sony attacks.
9

W H I T E

PA P E R

These first two phases benefit from using automated tools for data collection and analysis, but
deciding what to do based on this intelligence unfortunately cant be outsourced to non-humans. At
least not yet.
That said, AlienVault Labs, AlienVault USM and AlienVault OTX provide as much guidance as
possible for the best possible decision and outcome.

The key incident response goals for the Decide phase include the following:
Determine

the immediate next steps in responding to the incident.

Review

asset owner information and any relevant instructions associated with the asset.
Document

all remediation tactics planned for the affected assets.

Determine the immediate next steps in responding to the incident.

One of the biggest decisions that incident responders have is how to navigate the balancing act
between the need to preserve evidence vs. the need to recover quickly.
This decision is best handled well in advance of your first incident. In fact, the standard operating
procedure about handling incidents should come directly from senior management and the board
of directors, with guidance from your legal team. Whether or not to preserve evidence vs. simply
recover is not an easy decision to make, but one that youll need to work out as soon as possible.
And please note, which way to go will often vary based on the industry youre in, the governing local
law and state laws, the type of data in question, the method in which it was obtained, and whether
or not this was an inside job vs. an outside one. As you can see, this is not a decision to take lightly,
and we urge you to ask for guidance on this question.
In the meantime, AlienVault is here to make your life easier, especially when it comes to the security
events were analyzing and detecting throughout your network. For each alarm within AlienVault
USM, incident responders are provided specific guidance in how to interpret each threat and how to
respond. Intelligence and analysis on appropriate next steps is written by AlienVault Labs security
researchers and integrated into each of the alarms in AlienVault USM.
10

W H I T E

PA P E R

Review asset owner information and any relevant instructions associated with the asset.
When youre an incident responder, the more you know about the assets on your network, the better
youll be at investigating incidents that involve them. This is true especially of the servers in your
environment.
Its often not clear who owns an asset, how its configured, or what software is installed, despite
checking a variety of management tools, spreadsheets, and other docs. With AlienVault USM,
you can document and review who owns an asset and what to do and contact in the event of
an incident, as well as rich data on the vulnerabilities that exist, the software thats installed and
running, and any recent changes to critical files.
11

W H I T E

PA P E R

Document all remediation tactics planned for the affected assets.

Once youve confirmed the impact and scope of the incident, youll need to remediate as quickly as
possible to contain the damage and recover. Its a good idea to document these remediation steps
with information on the specific assets as well as what was done, by whom, and when. An audit trail
like this is very helpful, especially since at this point you dont know what kind of questions youll get
from your boss or his/her boss in the future.
Thankfully, AlienVault USM enables you to document all remediation steps within its automated and
integrated trouble ticketing system. In fact, every alarm can be converted into a trouble ticket with
just a simple click from within the alarm details.

12

W H I T E

PA P E R

Additionally, you can monitor, review, and share trouble ticket resolution statistics on the AlienVault
USM dashboard. All of which contributes to effective decision-making and process improvement.
DECIDE: Summary

Key takeaway #1: Determine the immediate next steps in responding to the incident.
How does AlienVault help?
AlienVault USM integrates emerging threat intelligence with operational guidance written by
AlienVault Labs researchers that are customized for each alarm, so you can make better decisions in
the heat of the moment.

Key takeaway #2: Review asset owner information and any relevant instructions associated with the
asset.
How does AlienVault help?
AlienVault USMs rich Asset Inventory capability allows IT admins to document specifics about each
asset to instruct responders about what to do in case of an incident.

Key takeaway #3: Document all remediation tactics planned for the affected assets.
How does AlienVault help?
AlienVault USM enables IT admins to automate remediation activity by immediately creating a
trouble ticket associated with alarms that require attention.

13

W H I T E

PA P E R

By now, weve walked you through each of the first three phases of an effective incident response
plan. Weve shown how AlienVault USM, AlienVault Labs, and AlienVault OTX provide the foundation
you need to OBSERVE, ORIENT, and DECIDE how to respond to incidents.
Now its time to ACT.
But first In the previous section, we talked about the need to decide whether your IR team should
focus on preserving evidence (in order to prosecute a data breach) vs. recovering quickly (and
potentially lose transient forensic artifacts). This decision is far beyond the scope of this paper, and
its an important one. In the meantime, if youre interested in preserving data for further investigation,
SIFT (SANS Investigative Forensics Toolkit) is a collection of various open source tools that can
assist you in performing forensics analysis tasks.10
For the purposes of this paper, we wanted to focus on recovery and remediation, as well as the
specific ways that AlienVault helps you achieve these essential incident response goals within the
Act phase:

Quickly implement remediation on all affected assets and verify that remediation has been
implemented properly.
Review and update security awareness training programs or security policies as appropriate.
Review (and potentially reconfigure) security monitoring controls based on lessons learned from
the incident.
Quickly implement remediation on all affected assets and verify that remediation has been
implemented properly.

10 An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Incident Forensic Toolkit (SIFT)
Workstation for incident response and digital forensics use and made it available to the whole community as a public service. Check it out at:
http://digital-forensics.sans.org/community/downloads#overview

14

W H I T E

PA P E R

Its difficult to cover all of the possible remediation activities that you may need to implement, since it
will largely depend on the specific threat, impact, targeted assets, and scope. That said, chances are
that this will likely include activities such as:

Patching systems (OSes, applications, firmware, etc.)

Removing unnecessary or unauthorized software
Reconfiguring system files (e.g. removing DLLs, registry settings, etc.)
Applying new ACLs on routers or adding firewall rules
Enabling or installing personal firewalls
Revoking access privileges
Resetting passwords
Terminating unused or unnecessary accounts
and more
AlienVault USM helps you verify that remediation has been implemented properly in a variety
of ways. First, our Vulnerability Assessment can be used to scan remediated hosts immediately
after theyve been patched, to verify fixes have worked, and havent introduced additional risks.
Additionally, the Asset Inventory capability captures and collects all asset data including installed
and running software as well as open ports and services. These two capabilities combined help you
confirm at a glance if a patch has been applied or a personal firewall installed or enabled.

Review and update security awareness training programs or security policies as appropriate.
Every security incident investigation provides you with the opportunity to assess how well your
security program is working (in terms of both security awareness and security policies and
procedures). Were not suggesting that users are to be blamed for every security incident. Instead,
the more vigilant your users can be about cyber security, the more likely that the risk of incidents will
decrease (in terms of frequency as well as impact).
A good first step is establishing effective user activity monitoring, so that you get a baseline for
expected user behavior. AlienVault USM provides detailed user activity reporting, across all the
assets in your environment so that you can verify that security policies are being followed, and
any violations are documented and investigated. In addition, you can set up AlienVault USM to
run reports at regularly scheduled intervals (the screenshot below captures just a few of the many
reporting options for monitoring user activity).

15

W H I T E

PA P E R

Review (and potentially reconfigure) security monitoring controls based on lessons learned from the
incident.
Once youve completed and verified all necessary remediation steps (and this goes for patching
systems as well as tweaking security policies), its now time to do a critical analysis of the entire
incident for essential lessons learned. Ask yourself and your team:

What went well?

What did we miss?
What could we have done better?
During this analysis, you may discover the need to increase monitoring on certain assets or asset
groups. With AlienVault USM, you can enable host-based IDS on specific assets and asset groups to
monitor system performance as well as changes to critical system files.
Additionally, you may decide to do weekly vs. monthly vulnerability scans. AlienVault USM allows
you to schedule vulnerability scans at any frequency, and offers a lot of options for how to execute
these scans.

16

W H I T E

PA P E R

ACT: Summary
Key takeaway #1: Quickly implement remediation on all affected assets and verify that remediation has
been done properly.
How does AlienVault help?
AlienVault USMs integrated Vulnerability Assessment checks for software weaknesses or
misconfigurations that could expose systems to increased risk. AlienVault USMs Asset Inventory
capability gives you granular data about your assets, including all installed software so you can
verify that the necessary patches have been installed or that specific services have been disabled.

Key takeaway #2: Review and update security awareness training programs or security policies as
appropriate.
How does AlienVault help?
AlienVault USM provides detailed user activity monitoring reports so that you can measure security
awareness and policy compliance over time.

Key takeaway #3: Review (and potentially reconfigure) security monitoring controls based on lessons
learned from the incident.
How does AlienVault help?
The AlienVault USM platform makes it easy to fine-tune each security monitoring capability based
specifically on what you glean from a post-mortem analysis.

Summary
AlienVault USM, AlienVault Labs, and AlienVault OTX provide the foundation you need for effective
incident response. From Observing and Orienting to Deciding and Acting, AlienVault is your partner
in detecting and responding to the latest threats. Thanks to our all-in-one approach to security
monitoring, you and your fellow incident responders will have more time to spend on active threat
hunting and less time on managing individual point products.

Learn more about the AlienVault Unified Security Management (USM) Platform
See the 90-second demo
Start detecting threats with a 30-day trial of AlienVault USM
Join the Open Threat Exchange (OTX)

2016 AlienVault. All rights reserved. AlienVault and the AlienVault logo are trademarks or registered trademarks of AlienVault.
All other names and trademarks are for identification purposes and are the property of their respective owners.