Tool Kit Essentials
Every intrusion analyst has to have a toolkit. It's not just the essential Linux programs you need to install on each machine you do analysis from, but it entails all those web sites you use to check sites, to help you deobfuscate malicious code, research exploits and the like, not to mention some of the good Windows-only tools you might be using (like NetWitness Investigator or Malzilla). I used to keep a flat file of all the tools I needed, but it quickly gets out of date. How do you determine what should be on that list?
I've received a flurry of emails lately from recruiters for IDS related posts they need to fill. As I was reading one, it struck me: If I took this job and needed to get up and running doing intrusion analysis on Day One, what would I need to make that happen? I realized that scenario defines what should be in my essential toolkit. Not those rarely used apps or sites that that duplicate things I can cmd line from the packet boxes, but what I HAVE to have.
So rather than create another list, I've decided I need (yet another) flash drive to keep with me at all times (at least when I'm working) that has current copies of essential tools, Windows and Linux, exported bookmarks, copies of notes I've taken and such so that I'm fairly comfortable that I could walk in the door of a new job and within a couple of hours be ready to start looking at alerts.
If you have a better method, please share. I don't have any plans to change jobs, but keeping this info close by and updated is also a way to keep up with version checking and making sure I always have the latest improvements in my tools.
Thoughts?
I've received a flurry of emails lately from recruiters for IDS related posts they need to fill. As I was reading one, it struck me: If I took this job and needed to get up and running doing intrusion analysis on Day One, what would I need to make that happen? I realized that scenario defines what should be in my essential toolkit. Not those rarely used apps or sites that that duplicate things I can cmd line from the packet boxes, but what I HAVE to have.
So rather than create another list, I've decided I need (yet another) flash drive to keep with me at all times (at least when I'm working) that has current copies of essential tools, Windows and Linux, exported bookmarks, copies of notes I've taken and such so that I'm fairly comfortable that I could walk in the door of a new job and within a couple of hours be ready to start looking at alerts.
If you have a better method, please share. I don't have any plans to change jobs, but keeping this info close by and updated is also a way to keep up with version checking and making sure I always have the latest improvements in my tools.
Thoughts?