This
post is a continuation of my RR&A (Rapid Response & Assessment) articles
and the process I use. In my previous post here, I provided a procedure that
details the initial step to the overall RR&A program by providing details on
using EnCase Sweep Enterprise with some insights into the data points I review.
That procedure can be accessed here. This post, along with its accompanying
procedure, details the continued response after Sweep Enterprise has run by specifying
the data points to collect. The procedure itself is just a rudimentary step
through of data to collect. Nonetheless, it provides instruction for the non-technical
people on my team to follow while I tend to more pressing matters. I have a
couple of non-technical people I can turn to for data collection, so I will
point them to this procedure.
When
you don’t have a fully automated enterprise tool that can do all the heavy lifting
for you, improvise you must to address a problem. When you have lemons, well,
you know what you do.
I met
with the folks from Mandiant not so long ago to discuss MIR and its offerings.
I am incredibly impressed with MIR and really like the built in endpoint
containment feature, something I am sorely lacking where I work. Until I can
convince my employer on why I believe we need a tool like MIR, the best I can
do right now is my “Roll your sleeves up and get yourself dirty” approach. It works, however, it’s slow, laborious, and
just takes too dam long, especially when I need to contain a host. I am
referring to my RR&A procedure. The upside to this approach is you become
acutely aware of what data you really need, that’s a good thing, the
understanding. Too many folks spend time clicking about in a GUI not achieving
much, then finally throwing up hands, “nope, can’t see it”. Urgh! Anyway,
onward and upward I try everyday.
I do
need to improve the speed and efficiency of this RR&A approach. It could
start with an EnScript for the data collection piece and then look at ways to
automate the analysis, or parts of it. I am not a scripter, so I will be
reaching out to my in-house SME’s for input if I can pin then down for a
moment.
The
next few posts from here out will continue with the RR&A topic by looking at
the analysis approach of each data point collected.
The
procedure can be accessed here from Google drive.
Regards,