Saturday, July 23, 2011

Tools in the Toolbox - What is our goal

As a follow-up to some questions that I have received about the tools in my toolbox I thought a new blog posting might help to answer them.

Have you actually used the tool in real world scenarios?
                Currently this build out is something new to the team and the company. Our response to Malware was a chaotic solution of multiple best attempts at investigating the issue. Over the last few months we have taken more of a baseline approach on what we want to track and how we plan to react. Some of the tools in this kit I have used, others are what have been recommended from others that they use.
What is your goal from the toolbox?
                My team supports a global company, the ability for one of us to physically approach every machine is impossible. The ability to remote into a machine is difficult because of various trusts in place in the network, and that my team is not a 24/7 staffed team, we have after hour support if needed. With that in mind the tools I am looking for should meet the following:
                Data Collection that is scriptable.
                Simple user interface as needed.
                Application should be portable solution, able to be installed on a thumb drive.
                Application should be easy to use, minimal training for support staff.
                Utilities and results should be able to be contained uncompressed with 4GB.
Keeping that in mind, if I cannot script my utilities to gather the data that I need there will be push back, and less likely the broad adaption that we are looking for. Eventually we will add more robust tools, and do more collecting of data, but right now I am keeping it simple.

Why did you select the following tools?
                I have selected the tools based on familiarity with them, the purpose of the tool, command line functionality, and some personal preference. I do expect to adapt and replace the tools as needed while figuring out which tools provide the best solutions for our malware incident response.

Why didn’t you select a specific tool?
                The main reasons I did not choose to add the tool is my lack of familiarity with them as I start this process, and the lack of simplified command line collections. Another reason I have not chosen a specific tool is that I have not heard of it, this is a new process on our team, something that I am working at getting the best free tools for our purpose. It requires me testing and learning the tools that are the best options for our tool kit.

While currently I am using a paid application, Sep Tools, I am hoping to get the entire collection kit to be made up of freeware/shareware and pass the utility out to the community. 

No comments:

Post a Comment