The Evolution of Live Response
In my last post, I mentioned that the FRU and FSP had been demos as part of the CERT VTE. Very cool. If you've read this blog for any period of time, you'll know that I've been interested in live response and forensic analysis of Windows systems for a while. One thing that the VTE demo showed me is that I really have to write up a user guide or manual for using the FSP tools, and then add a GUI to them.
That being said, I've been purusing the usual blogs for write ups regarding the recent BlackHat Federal conference. When you can't attend, reading other's impressions is the next best thing to being there. Kevin Mandia's presentation caught my eye, so I downloaded it and read through it. One of the things mentioned in the presentation is a "Live Response" tool that should be released by Kevin's company, Red Cliff Consulting, in January. After some discussion in the presentation on how incidents are detected, things that need to be collected are mentioned on slide 55 (there are 90 slides, folks, but the presentation is well worth the wait). The next slide contains a list of tools that can be run - while I agree with the tools for the most part, there are a couple that I'm not sure I'd run, but that's all covered in my book.
Slide 66 shows an image of the Live Response tool...it looks very interesting, and I really wish I'd been able to make it to the conference. I really like what I see in the presentation, overall...Kevin evidently went over several things (at least, in the slides) that I've been thinking about for some time now, such as the fact that live response is evolving due to the notification laws, with California's SB1386 being one of the first. In essence, companies need to know if client data has been compromised in anyway.
Thoughts? Where do we go from here? Is live response viable, particularly on Windows systems?
That being said, I've been purusing the usual blogs for write ups regarding the recent BlackHat Federal conference. When you can't attend, reading other's impressions is the next best thing to being there. Kevin Mandia's presentation caught my eye, so I downloaded it and read through it. One of the things mentioned in the presentation is a "Live Response" tool that should be released by Kevin's company, Red Cliff Consulting, in January. After some discussion in the presentation on how incidents are detected, things that need to be collected are mentioned on slide 55 (there are 90 slides, folks, but the presentation is well worth the wait). The next slide contains a list of tools that can be run - while I agree with the tools for the most part, there are a couple that I'm not sure I'd run, but that's all covered in my book.
Slide 66 shows an image of the Live Response tool...it looks very interesting, and I really wish I'd been able to make it to the conference. I really like what I see in the presentation, overall...Kevin evidently went over several things (at least, in the slides) that I've been thinking about for some time now, such as the fact that live response is evolving due to the notification laws, with California's SB1386 being one of the first. In essence, companies need to know if client data has been compromised in anyway.
Thoughts? Where do we go from here? Is live response viable, particularly on Windows systems?