So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are the same way, regardless of whether they’re meant for red- or blue-team efforts; the driving factor behind them is often the list of tools embedded within the distribution. For example, the Kali Linux site says that it has “All the tools you need”. If you go to the SANS SIFT Workstation site, you’ll see the description that includes, “…a collection of free and open-source incident response and forensic tools.” Here’s a Github site that lists “blue team tools”…but that’s it, just a list.
Okay, so what’s up with lists, you ask? What’s the “so, what?”
Lists are great…they often show us new tools that we’d hadn’t seen or heard about, possibly tools that might be more effective or efficient for us and our workflows. Maybe a data source has been updated and there’s a tool that addresses that new format, or maybe you’re run across a case that includes the use of a different web browser, and there’s a tool that parses the history for you. So, having lists is good, and familiar…because that’s the way we’ve always done it, right? A lot of folks developing these lists came into the industry themselves at one point, looked around, and saw others posting lists. As such, the general consensus seems to be, “share lists”…either share a list you found, or share a list you’ve added to.
Lists, particularly checklists, can be useful. They can ensure that we don’t forget something that’s part of a necessary process, and if we intentionally and purposely manage and maintain that checklist, it can be our documentation; rather than writing out each step in our checklist as part of our case notes/documentation, we can just say, “…followed/completed the checklist version xx.xx, as of Y date…”, noting any discrepancies or places we diverged. The value of a checklist depends upon how it’s used…if it’s downloaded and used because it’s “cool”, and it’s not managed and never updated, then it’s pretty useless.
Are lists enough?
I recently ran across
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article:
Related