Re: SSNs, rootkits, Incident Response, etc...

[Gary Golomb <coach () GWU EDU>]

Hey John-

Blabbing inline... ;)

> Very interesting. We (ISO) have been asked to run assessments on
> ALL (200+)
> servers in our environment after one of our systems was
> compromised.
> So we are trying to come up with a toolkit to scan for compromises
> (rootkits, Trojans, etc.) and has secure reporting abilities.

This is actually what the application was born from. It started as an
automated IR program a two years ago, until we got the directive to
assess the security and integrity of a little over 200 servers
(controlled by other departments, not the Info Systems group), plus
determine if there was sensitive data on them. We completed the total
project about a year ago, but the tool at that time generated too much
data and took too long to run.

We're gearing up for part II of the project which now audits all
desktops, meaning the size of the project has tripled in terms of
numbers of systems to scan. The goal of the application now is:

- Provide a means of mass-scanning (produce lightweight and only
*relevant* data with secure upload)
- Allow for dependable system integrity assurance (kernel- and user-levels)
- Consistent sensitive data detection

> One of the challenges is just finding tools that work on all our
> flavors...Windows, Unix (HP, Alpha), Linux, Solaris.

Ugh... Yeah... I can help you in the Win32 department. :) We have some
solutions for the others, but I'm certain they're comparable to other
solutions (script-based).

> And the greatest challenge is finding something straightforward
> enough to
> use so we can give this to our tech's to run and they don't require a
> forensics' background!

That is the other primary goal of this program. Click and go. If the
point is to automate [as much as possible] what experts do, then it
should involve very little of the person actually running it. That data
should be sent to the proper people for their analysis, but the GUI
version of the program also has a live-help system that guides the
end-user along and tells them what to look for. (I'm a big believer that
much of what "we" do (IR and forensics) is automatable/trainable, and
that reflects in this application and separates it from anything else
I've ever seen like it. Certain others - I also don't care to discuss
the philosophy/technology of that last sentence on this list, but
thanks. I'd rather spend the time writing new code (or drinking), not
emails.)

> So where's the beta :)

That's something we're trying to figure out now and why I made that
post. We're coming up with different business cases for different
scenarios and will make a decision soon. I'll keep your contact
information to let you know. I have a feeling the GUI version
(standalone) should be publicly available very soon... More to come on a
"beta program" for the enterprise version.

-Gary