Deploy the containerized GRR to unmask the intruders

Containerized GRR is a forked implementation of the GRR Rapid Response, a tool for incident response designed and developed by Google engineers. Containerized GRR differs from the original GRR by utilizing the Docker containers on its working. In my experience, Docker containers are a more approachable way to take the tool into use since containers ease the deployment process by removing all the dependency problems that might occur when traditional installation methods such as compiling from source code are used.

It is worth noticing that the GRR project also offer an official GRR Docker image; however, the image bundles all the needed server components in one container being the reason why the developers of GRR have announced that the official image is a viable solution only for testing and evaluation purposes. Using containerized GRR you can divide all the server components to diverse containers which allow better scalability and usage of the tool also in production.

Myth: Deployment process of an open source tool costs no money

The deployment process of an open sourced tool can be painful. The deployment needs often more attention, time, and technical capability from the deployer than deploying a commercial tool would. For this reason, the process can cause more costs and tie more resources than it was first assumed.

One reason for the difficultness of open source tool deployment can be thought to be related to the presence of support. When you buy a commercial product, you can contact the customer service, ask for individual help from the tool’s developers, and get answers to your problems often in a very short time frame. In the open source world, the support is there, or it is not. It highly depends on the activity of the tool’s developers and the size of the community breathing behind the project. Furthermore, the quality of open source deployment manuals can vary, which can lead to misunderstandings. I would say that the myth is busted.

However, this does not mean that the open source tools should not be used. Vice versa, I highly recommend famialirizing yourself with every potential open source infosec tool in the wild. You might end up finding a tool that has more leverage than the corresponding commercial one. If the tool has also a manual with precise installation instructions, you might have a win-win solution in your hands.

Set up containerized GRR using just four commands

The deployment of containerized GRR has been designed to be straightforward from the beginning. In a nutshell, you can take the advantage of the tool just by cloning the Git repository, executing a setup script, initializing a network for the Docker, and finally building up the tool. Sounds worth trying. Read more about the containerized GRR from our Git repository or from my bachelor’s thesis.

So, what to do with containerized GRR?

The deployment of containerized GRR is just the beginning of the journey. In future posts I will go through how to take advantage of the tool in remote live forensics and threat hunting investigation to collect data about the occurred incident and hunt a potential intruder in your environment. In addition, the integration possibilities between containerized GRR and other tools and systems are presented.

About this blog post

This blog post is the first post in a series that focuses on raising the organizations’ capability to prepare, hunt, and respond to the incidents occurring in organizations’ environments by using Prepare-Hunt-Response model, designed by JYVSECTEC’s specialists. If you have any questions related to the blog post or you want to hear more about the PHR model, you can address the author directly. Stay safe and tuned.


Joni Ahonen Joni Ahonen
Technical Specialist
Institute of Information Technology, JAMK University of Applied Sciences