You, CSO of XYZ company, you're home. Went to bed at two in the morning watching UFC, it's Saturday and is the largest cold outside. At 3 o'clock, someone from your SOC calls and says it is monitoring intense activity and abnormal in your network, you are absolutely sure that there was a malware outbreak and that probably has been affected servers. You think, "PUTZ, had no time to happen?". It's time to call the CSIRT. All you curse, but the company arrive as scheduled and the battle begins.
First step: Understand what is going to plan CONTENTION. Your team needs to collect volatile data from multiple machines and analyze them in order to strategize. The affected machines are connected and can not be turned off (the data are volatile). What does your team is on hand to do this? A CD and a stick of Helix Caine, all in multiple copies, each has one. You guide the team and they set off for battle, starting with the most suitable machines, given the report of the SOC. It already 7am and CIO, which almost never supports its guidelines call begins with the famous "So?". Your team needs to collect data and analyze them quickly:
In one of the machines, put the CD with Helix, it immediately reboots;
Another machine has an older version of the OS, it runs several utilities and the entire collection is compromised;
Most of the team does not remember the commands and options head required. Many forget to capture the memory for the first and many even bring the result of netstat;
You hear a noise, an analyst was pounding the table, because the Antivirus does not stop no way he run some tools;
One of the machines has the famous blue screen after trying to run a program of the toolkit;
almost all the collection work goes down the drain because of an infected thumb drive returned. As the analyst was using Linux, there was no infection on your machine, but the results were collected reliable?
Have you lived it?? This is what happens in practice.
The above problems occur, all or in part, to each of toolkits currently available as free software tool. From what I have researched, the CAINE, HELIX and the DEFT go through these or other situations where they are due. Even COFEE, which does not fit the definition of free software (though it is freely licensed for police) goes through a lot of problems narrated above. It is precisely in this context that the project wants to get MUFFIN: a toolkit to be focused on incident response and does not have the same weaknesses and the same problems as those we reviewed.
To achieve this, MUFFIN will consist of three modules:
The MUFFIN stick, which is the toolkit itself;
The MUFFIN Baker, a tool that allows you to configure and generate the stick MUFFIN;
The MUFFIN Report, which will access the data generated / collected by MUFFIN stick.
Download : MUFFINv0.2.zip (68.0 MB)
MD 5 : MUFFINv0.2.zip.md5
Papers For Blackhat 2012 : OctaneLabs_MUFFIN MMA_BHack_2012.pdf
For more information : http://code.google.com/p/muffin-project/
0 comments:
Post a Comment