MIRcon 2011 is fast approaching. I’ve been putting the finishing touches on my presentation and I hope it offers some ideas for dealing with infected hosts with Mandiant’s Intelligent Response and other tools you either already have deployed or can have for free. Well free to you. They’re really paid for with the blood, sweat and tears of some of the brightest, most giving and caring professionals you’ll ever encounter in any field…and Mandiant gives away a bunch of very useful ones. Which is why I decided to present.
I likely wouldn’t be attending MIRcon this year if I weren’t presenting. Budgets are tight and I prefer not to be away from my family anymore than I have to. I don’t have the technical ability or in depth knowledge to create some of the incredible tools freely available to anyone who cares, like Redline, Web Historian, and the “blows my mind/how cool is that” Heap Inspector from Mandiant or the LiveCD distributions like the SANS Investigate Forensic Toolkit (SIFT), Snorby/InstaSnorby, or Security Onion to name only a few.
It’s often lamented that we, the defenders, don’t share enough and to an extent it’s true. The attackers are sharing and trading tools and tactics in shady undergrounds, while the defenders are cloistered in their walls with minimal awareness of how surrounding castles fair. Look at all the breaches that have happened this year. How many have resulted in details of exactly what happened, how it happened, what was lost and why it can happen to anyone. The more we understand attacker methodologies the better we can prepare, detect and respond. We shouldn’t have to learn that lesson over and over again from company to company, living Madonna’s “Like a Virgin” each time it happens to an organization. Cybercrime is a war…it helps if allies actually talk and share.
But where the security community has proven to be a shining example of sharing is in the tools market. For most commercial detection and prevention tools there are freely available alternatives. They may not be for the weak or squeamish or be easy to find, but they’re effective, can do the job and are getting better and easier to use every year. These tools enable professionals like me. They allow me to go deeper and further than I may have without them. They make me better at security. They make me smarter than I am. They make me want to try to give something back. Like this blog. Like presenting at MIRcon.
I’m not a fan of public speaking, mostly due to nerves and not enough experience/comfort doing it. But my incredible wife constantly reminds me with her words and actions how important it is that we give back. That we share what we do have or know or create if it can help someone else through a struggle or to overcome a problem. So I’ll take the butterflies and try to overcome the awe and wonder of speaking at a conference where the likes of Richard A. Clarke and Michael Chertoff are keynoting. It’s more than worth it to try and give a something back, even if it’s just a little.
To anyone who has given something of themselves for the betterment of security, thank you. I’m looking forward to being able to thank some people in person for their efforts at MIRcon.