Last month I had promised some commenters and readers I would publish some of my blacklists when I got home. In my defence I’m still not home but I organised some of my blacklists and other resources anyway. The list published below is a small collection from people I have met (CL merci) who have shared their lists with me. Chris’ list is not a comprehensive list but a good starter point for organising with examples. The document can be easily changed around for you or your organisation.
The list can be a basis for scraping data into ArcSight via a Flex Connector to update suspect or blacklists (active lists, metrics for reports, trends. They can also be used for built-in tools for ArcSight or similar with a small amount of scripting. ArcSight has a built in Who Is search tool, using similar parameters you can build a Google Safe Search Diagnostics too based on IP or Domain or perhaps search Virus Total. The information can also be added to intelligent web proxy servers. This is ideal since about 80% of traffic now goes over web HTTP/HTTPS. Web proxy servers are a major egress point in the perimeter.
This type of list can be helpful in operations when analysts need to find, use and reference resources quickly. The list can be used to build a department favourites list/internet based tools list. Also, many times information security websites will be marked and filtered by web proxy servers or anti-virus software. For example, I spoke at the 28C3 CCC last year and my anti-virus was Comodo on my laptop. The anti-virus software blocked the 28C3 CCC and affiliated Chaos Computer Club websites even after I disabled the DNS feature, physically pointed my DNS elsewhere and examined my hosts file. I had to reinstall a fresh OS to access the Chaos Computer Club websites. This type of list can be used to add exclusions to anti-virus or filters as legitimate resources for the security team or other similar departments.
Screenshot of example form below.
If you need this form in a different format please ask and I will try to accommodate for Open Office.
Please add to the form and comment. My list is Europe and North American centric, we would love other regional lists. Any other associated information is welcome.
Organising, testing and keeping your tools updated. This is especially important if you collect any digital evidence which might be used in a civil or criminal process.
Currently I am taking the SANS Self Study course SANS 504 Hackers, Exploits and Techniques. The topic of tools came up on Day 1 with a focus on the following:
- Organise your tools before an incident occurs
- Test your tools
- Keep your tools updated
- Ensure tool integrity with Hash Codes
It got me thinking about organising my own toolset much more formally. I didn’t readily find templates on-line so I created my own and began working on my toolset. It might sound a little boring or digital based OCD but I think it will be highly useful nonetheless. Besides, I am tired of switching from one system to the next forgetting to copy something and loosing access to some tool or trying to open a tool when I really need it only to find it doesn’t work.
I went through my tools and organised my them into one location which is backed-up and performed the following steps:
- Checked the versions in my toolset against the most current version and updated as applicable
- Recorded via hyperlink the website locations and/or download location
- Verified the hash codes from the vendor if applicable or made my own if trusted
- Verified the tool worked
- Recorded the date added into the toolset (after verifying the tool worked)
- Recorded the tool release date
Example Security Software Tools List
I have uploaded a two-page tools list which lists some of the tools I personally use:
I also uploaded a completely blank Security Software Tools List template which you can download and customise for you or your organisation:
Please feel free to post any comments, questions or ideas!