-
Notifications
You must be signed in to change notification settings - Fork 2
Home
The execution and response to a computer security related event.
Every company who has had a compromise has to deal with the incident. Most companies do not even have policies or procedures to deal with them, others have extensive ones with dedicated IRT (Incident Response Teams) often under the Security Department. An Incident Response Toolkit is simply a set of tools you are allowed to use during the response period. The problem is that many IRTK or Incident Response Tool Kits have two major flaws. The first is when the IRTK tries to fix problems for you rather than report the "problems" found and let the IT professional make an intelligent decision, this can have disastrous effects and can worsen the situation. The second type is a data gathering and reporting tool, the problem lies in it being too robust and bloated to use effectively, if someone from your IRT has to sit and wait for 6+ hours this is an ineffective use of time. The organization will tend to rely on either manual work or a set of custom scripts to accomplish their goals.
Now that you understand the pain point and the common solutions I will explain to you why mine is different. First off I am taking the second approach of Information Gathering and Reporting as my base concept. As a Linux Sys Admin I truly believe in a minimalistic and highly customizable approach. If it is not easy to customize than it will not be used. While many IT people are comfortable with their 'Script Fu' many IT professionals do not have a solid CS background and it intimidates them. As a result I am creating it so that it will not scare these IT professionals away. The following features will ease their mind and allow them to feel comfortable using the IRTK:
Open Source (Full source code and 100% free)
- No compilation
- Native OS languages (bash and bat respectively)
- Zero Footprint (no installation required, standalone)
- High Level of Customization, easily add your own data to collect or comment out data you are not interested in.
- Separate tools for separate jobs (live capture/dead capture, Windows/Linux)