WHAT IS AUTOMATED INCIDENT RESPONSE EVIDENCE COLLECTION?
Evolve remotely orchestrates scalable incident response environments in any location, whether it is on-premise or in the cloud. When a security breach occurs evidence is collected for deep technical analysis to quickly confirm and contain any negative impacts.
The Evolve “Automated Incident Response Evidence Collection” workflow is triggered as soon as a security breach occurs. This will automatically collect critical evidence whilst the attacker is still on the victim machine to help ensure evidence is not destroyed or lost.
It’s hard to find the key pieces of evidence to collect during a security breach, or even how to collect the evidence. Evolve solves this by automating evidence collection ready for analysis. Key artefacts include memory dumps, network connections, running services, process lists, requested domains, security log files, latest changed files, registries, signed binaries and many more.
Your security team can have faster access to verified information about a security breach meaning earlier triage and automated response for a streamlined and specialist incident response process.
Evolve “Automated Incident Response Evidence Collection” natively integrates with Slack for “Automation Authorization” enabling ChatSecOps capabilities to maximize your resources and security budgets.
Automated Incident Response Evidence Collection is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE
Our Getting Started Guide will step you through importing and launching your first Automated Incident Response Evidence Collection workflow. Enhance your specialist security capabilities now MORE
Automated Evidence Collection During Attack
Distributed Automated Incident Response
ChatOps Incident Response Authorization
Automated Incident Response Chaining
Automated Evidence Hash Creation
Automated Evidence Artefact Timestamping
Automated Evidence Duplication
Automated Memory Dump Collection
Automated Security and System Log Collection
Automated Master File Table Collection
Automated Network Connections Collection
Automated Registry Collection
Automated Services Collection
Automated Device Drivers Collection
Automated Running Processes Collection
Automated User Information Collection
Automated DNS Cache Collection
Automated Signed Processes Collection
Automated System Information Collection
Automated System Files Collection
FLEXIBLE SUBSCRIPTION PRICING
Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated Incident Response Evidence Collection capability from the Evolve Marketplace to begin your subscription.
Monthly Subscriptions. No lock in contracts.
OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING
Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities
SECURITY ZONE USAGE
Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time
Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data
Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions
Evolve Agents allow distributed orchestration of modules on premise and in the cloud. Optimize usage by reducing the polling frequency
When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data
Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers
Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts
FREQUENTLY ASKED QUESTIONS
WHAT IS AUTOMATED INCIDENT RESPONSE EVIDENCE COLLECTION?
The Evolve “Automated Incident Response Evidence Collection” solution can be triggered automatically by your SIEM using the Evolve Command Line Interface (CLI), or natively via Evolve Incident Detection solutions, as soon as a security breach occurs.
In real-time, Evolve will remotely orchestrate an incident response environment in any of your locations, whether it is on-premise or in the cloud, via an Evolve Agent. This provides automatic critical evidence collection whilst the attacker is still on the victim machine to help ensure that evidence is not destroyed or lost.
Evolve will automatically collect security breach evidence artefacts including memory dumps, network connections, running services, process lists, requested domains, security log files, latest changed files, registries, signed binaries, and many more.
This provides your security team with faster access to information about a security breach allowing earlier triage and automated response.
HOW DO I GET STARTED?
The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated Incident Response Evidence Collection solution. Simply import this automation workflow into your Evolve Account.
You can follow the Getting Started Guide to then setup your first Automated Incident Response Evidence Collection workflow instance.
You can then chain the Evolve Automated Incident Response Evidence Analysis workflow for automated triage and Indicators Of Compromise (IOC) generation.
HOW DO I INTEGRATE WITH SLACK FOR AUTOMATION AUTHORIZATION?
Evolve Automated Incident Response Evidence Collection natively integrates with Slack.
The Evolve SlackBot can request authorization from your security team prior to the evidence collection being performed. This provides you with full control over your incident response whilst also streamlining your incident response processes.
Alternatively, your security team can simply be notified that the Evolve automated evidence collection has been initiated on a particular host to allow faster containment of breaches.
Simply import the Evolve SlackBot from the Evolve Marketplace and launch an instance of the Evolve SlackBot module. This SlackBot module instance is positioned before the Evolve Automated Incident Response Evidence Collection so that authorization is triggered before any actions are taken.
GETTING STARTED WITH
AUTOMATED INCIDENT RESPONSE EVIDENCE COLLECTION
STEP 1: REGISTER AN EVOLVE ACCOUNT
Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.
STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT
Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
STEP 3: SETUP YOUR EVOLVE BILLING
Evolve subscriptions and usage-based bills are charged via credit card. You can setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account. Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.
As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments. Your Evolve Account is now setup and you are ready to mature your security.
STEP 4: SELECT YOUR EVOLVE REGION
Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs. You can select your Evolve Region in the top right-hand corner of your Evolve Account. Any actions you take will occur within your selected Evolve Region.
STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE
The Automated Incident Response Evidence Collection workflow is available in the Evolve Marketplace, which you can navigate to under the Marketplace side-menu. Whilst in the Evolve Marketplace, you can locate this workflow by either selecting the “Incident Response” category and browsing through the available workflows, or by searching for the keyword “evidence”.
By clicking on the Automated Incident Response Evidence Collection workflow marketplace item, you can review the overview of the workflow, as well as usage and subscription pricing information. Click the Import button and simply step through the import steps, where you will then be redirected to the Imports page. You may need to use the Reload button to see your newly imported workflow.
Once the import status changes from “Pending” to “Available”, you have successfully subscribed to this security automation workflow and added this specialist security capability to your business.
STEP 6: CREATE AN EVOLVE AGENT
Evolve Agents are used to remotely orchestrate and execute security automation workflows within your internal on-premise or cloud environments. Since we want to collect evidence from internal systems, we will setup an Evolve Agent to remotely orchestrate an incident response environment within your internal network in real-time when a security breach occurs.
Select the Agents side menu and click the New Agent button. Set a useful name for your Agent and click the Next button, which will take you to the Configuration page to set the following options:
Evolve Agents poll the Evolve Agent API to request actions to be performed, such as orchestration and module executions. Agent polling incurs usage costs that can be optimized by reducing the number of times the Evolve Agent API is polled. For example, you may want to configure the Agent to poll every minute for fast execution of modules causing a higher usage, or you may want to configure the Agent to poll every hour for delayed module executions but a lower usage. In our use-case, we will set the “Agent Polling Frequency” to be “1 Minutes” since evidence collection is time sensitive.
When Agents are installed (possibly on multiple systems), they register themselves as an Agent Device. The Inactive Device Expiry is the timeframe for Evolve to assume that a device no longer exists if it hasn’t polled after a certain period of time. Evolve will automatically delete the Agent Device Registration after this inactive period. This keeps the Agent Device list clean. Evolve Agents will automatically re-register themselves if they come back online. In this use-case, set the “Inactive Device Expiry” to be “7 Days”.
Click the Next button, review your settings, and then click the Create button. This will automatically create your new Evolve Agent, which should be available immediately.
STEP 7: SETUP YOUR EVOLVE AGENT
Now that you have your Evolve Agent created, you can install the Evolve Agent on your internal network that will connect back and automatically register itself via the Evolve Agent API.
Your first step is to setup an Ubuntu machine on your internal network, which should have access to the systems that you may want to automatically collect evidence from. This machine should have access to the internet, either directly or configured with the required proxy details, so that any required Linux packages can be downloaded automatically (typically via apt, pip, wget or curl).
From within the Evolve Console, select the Agents side menu to list your available Evolve Agents. You will find a series of buttons alongside your Agent where you will need to click the button called “Download”. This will download a ZIP file containing the Evolve Agent installer and your corresponding Evolve Agent API Key. Copy this ZIP file to your Ubuntu machine and unzip the contents.
Open a Terminal and change to the directory where you extracted the Evolve Agent Installer. You may need to set the installer to be executable by running the command “chmod 750 install.sh“. You can now view the installer options by running “sudo ./install.sh -h“.
In nearly all cases you can install using the default options with the command “sudo ./install.sh“. This will automatically install all of the dependencies, configure your Evolve Agent, set it to start on boot, and automatically connect and register with the Evolve Agent API.
To check that your Agent is running, run the command “ps aux | grep agent.py” that should show that the Evolve Agent is running.
You should confirm that your Agent has registered successfully. From within the Evolve Console, select the Agents side menu to list your available Evolve Agents. Alongside your Agent row, click the button called “View Devices”. This will list all of the registered Agent Devices that are running this Evolve Agent.
Thats it. You are now ready to start remotely orchestrating Evolve Incident Response workflows via your Evolve Agent against your internal systems.
STEP 8: LAUNCH A WORKFLOW INSTANCE
You have imported the Automated Incident Response Evidence Collection workflow, which can be thought of as a part of your security team’s incident response security capability. You now need to launch a Workflow Instance to be orchestrated and executed each time a security breach occurs.
Select the Workflows side menu item to list your available workflows. You will find a series of buttons alongside your Automated Incident Response Evidence Collection workflow where you will need to click the button called “Create Instance”. Set a useful name for your workflow instance and click the Next button, which will take you to the Parameters page where you provide your authentication details.
The Automated Incident Response Evidence Collection workflow currently supports Windows evidence collection, which means that Evolve must be able to authenticate to your Windows systems as an Administrator (typically either a Local Administrator, Workstation Administrator, Server Administrator, or a Domain Administrator). Enter your Windows Domain, Administrator username and password. These details are stored encrypted within the Evolve platform and are passed to modules being executed in real-time for authentication.
Since this workflow will typically be chained with others, you have the option to select the Input Container and Output Container. For example, the Output Container can be set to be the Input Container of the Automated Incident Response Evidence Analyzer workflow for automated evidence analysis.
Click the Next button to go to the Configuration page where you select the default location for modules will be executed. You should un-check the Security Zone, and select your Evolve Agent from the “Agents” drop-down list.
Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Automated Incident Response Evidence Collection workflow instance, including all Module Instances and Containers, using the configurations that you specified for your systems.
Your workflow will be automatically launched by Evolve every time a new Evolve State File containing an internal IP address is uploaded to the Input Container and evidence will automatically be collected.
STEP 9: SETUP YOUR WINDOWS SYSTEMS FOR EVIDENCE COLLECTION
When a security breach occurs, the Evolve Automated Incident Response Evidence Collection workflow will automatically attempt to connect to the victim Windows machine to collect the required evidence.
Evolve uses the native Windows Remote Management (WinRM) protocol over HTTPS to remotely run commands via Powershell on your Windows machines, and uses SMB to collect large files including memory dumps.
You need to ensure that your Windows machines have WinRM and SMB running, and that they are permitted through the Windows Firewall. This can be performed by applying an Active Directory Group Policy to all Windows systems, or can be applied on each individual host.
STEP 10: REVIEW YOUR RESULTS
The Evolve Automated Incident Response Evidence Collection workflow will automatically upload the collected evidence as a ZIP file to the configured Evolve Output container.
From within the Evolve Console, select the Containers side menu to list your available Evolve Containers. In the search box, type “evidence” to filter down your Container list. Locate the Evidence Collection Output Container. You will find a series of buttons alongside your Container where you will need to click the button called “View”. This will list the evidence ZIP files stored within your Evolve Container. You may download the evidence files using the corresponding “Download” button.
More advanced users may also want to be notified when your incident response evidence collection is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Output Container for real-time ChatOps notifications.