Incident response (IR) is hard. I know this because I said "damn, this is hard" the first time I sat down to conduct proper IR using Console, the investigator client for the MANDIANT Intelligent Response appliance. Since then, I have learned a lot about incident response, memory and disk forensics, hooking and other technical details. I have also learned that very few customers have the resources to fund an internal army of security experts that have lived and breathed IR since the time of Morris. Training and work experience will eventually bring security staff up to speed, but they can only work so long before they require inconvenient things such as food, sleep and watching viral videos from Auto-Tune the News. So how can an organization enhance its IR game when it only has a small number of security staff, with maybe one or two ninjas?
Solution: MIR 2.0. It has a clock AND Reversi!
MANDIANT understands the challenges involved in IR and the need for good tools that can be both effective and easy to use. The MIR 2.0 upgrade carries with it two significant additions on top of the usual product enhancements, such as performance improvements and more Agent audits, specifically Windows XP Restore Point analysis and a new persistent mechanism audit. This covers roughly 80% of the techniques used for maintaining persistence that we have seen over the last seven years.
First, MCIC comes bundled with the 2.0 update. MCIC is the new web interface for the Controller that allows users to configure and launch sweeps for Indicators of Compromise (IOCs) across the enterprise. No software install is required for this; just point your browser at the Controller and you're good to go. MCIC does a fantastic job of streamlining the sweep configuration workflow: the user selects which IOCs he or she wants to scan for, and MCIC will automatically configure the sweep to use the correct audit modules with the proper settings. This latter addition is immensely useful, as it will enable novice users that might not know anything about the Console to launch full-scale sweeps without mucking up the settings ("What's that? You mean you didn't want file and memory strings?") MCIC also carries the added benefit of automatically restarting sweeps on hosts that have failed while the sweep is in progress. That's right, you no longer have to keep a constant eye on those mobile users that keep disconnecting halfway through an audit; MCIC will take care of them for you.
The second addition is Redline. This is some seriously cool stuff. Redline is the successor to Audit Viewer, but it goes far beyond just adding a pretty GUI to a useful but otherwise bland-looking tool. Redline wraps the capabilities of Memoryze (our live memory analysis engine) in a workflow that captures what MANDIANT's experienced consultants do every day as they respond to incidents around the world.
Normally the task of conducting live memory forensics falls to only the most experienced IR experts, but now organizations can leverage their entry- and intermediate-level security staff for this work. Redline guides users through analyzing live memory via a series of wizard-like steps; these guided steps allow the user see the IR process from a MANDIANT consultant's viewpoint.
Regardless of experience level, Redline will make investigative work faster with its Malware Rating Index (MRI). This unique system highlights suspect processes based on a number of factors, such as frequency of occurrence and process path, user and handle verification.
Check out more details about Redline on mandiant.com.
You can also get treated to a live demo at CEIC in Orlando, May 15-18, 2011.