Incident Response Tips

Chronos

Author: Daniel Lubel, Senior Purple Team Researcher

 

We are happy to announce the publication of a our new open-source tool – Chronos

During an incident response there are two main goals, identify the root cause of the attack and tell the story of what just happened, these two goals are achieved by the following three phases:

  1. Collecting various logs and artifacts from various data sources all over the network: cloud instances, endpoints, servers, web applications etc
  2. Saving and indexing the collected artifacts    
  3. Investigating - detecting suspicious artifacts/indicators before the event that led to the incident and after, examples to those artifacts could be lateral movement indicators, exploitations attempts, persistence mechanisms and more  

The more logs/artifacts there are, the harder the analyst has to work to parse them in order to create a chronological events timeline that could be analyzed properly.

For this reason, we have created “Chronos” - a simple to use python based framework that aims to address phases 2 and 3, to make the analyst job much easier.
Chronos functions as a centralized framework that formulates all the artifacts collected in phase 1 into unified records that include the same fields and the same time format, then Chronos indexes the results to Elasticsearch DB for efficient and convenient analysis.

Some advantages of this approach:

  1. The more logs there are, the more data we need to store and analyze. DBs are designed to contain huge amounts of data and perform efficient searching operations.
  2. Once all the data is in the same place, the analyst will be able to see all the evidence in relation to each other, which makes the analysis much easier.
  3. Many times, when using a dedicated program, the timestamps might get out of sync from the rest of the evidence. For example the event viewer times are shown with time zone reference and not UTC as other tools use.

Once all the logs are saved, we can use different visualizations or more advanced analyzes using different scripting capabilities, with Jupyter notebooks for example.

Provided as is, the framework uses many Windows utilities for the parsing process and as such it is designed to run on Windows machines. We provide the framework with native parsers, you are more than welcome to extend it to work with your different unique data sources.
The next steps of the project is to provide the community with a bank of queries and dashboards based on industry rules standard and additional support for other data sources as well.

Please share your feedback, and if there are any questions feel free to catch us at
[email protected]

The project can be found at https://github.com/otoriocyber/chronos

 

Author: Daniel Lubel, Senior Purple Team Researcher