Practical shoe string security

Have you ever read an article about people claiming things that should be done or chastising others security and never ran a whole company? Well, I am going to discuss my methods that worked for me. Did I run a whole company?  Yes from the routers to a/v, servers to workstations, and IDS to HIDS. The enviroment was a mix of linux and windows along with as400 which I was one of the programmers on. It sounds like a lot for a single person to maintain for a 200 person company,  but with practicle understanding of what you need you can manage this. To help make this understandable I will break this up into sections like a book.

1.) Logging (collecting and a
2.) Antivirus
3.) IDS / HIDS
4.) Email and malware analysis
5.) Remote management
6.) Trouble shooting

I am sure that I will talk about lots of other relevant topics and will edit this page as it all progresses.

Offensive Live Response

I haven't posted on this site much since I really haven't been working in the defensive operations side of things, but doing red team activities. Even tho I've been doing red teaming I still think in terms of defense. In all honesty , I believe they go hand in hand do to the fact you need to understand how defensive measures are working in order to subvert them. Running snort sensors for 12 years has helped me gain a pretty solid understanding and some of the faults also. Lately, I have been working engagements and thinking of ways to provide an additional benefit other than your security isn't up to par. This leads me to offensive live response and offensive forensics.

Let me give a little theory behind this. As a red team member we are focused heavily on adversary simulation along with exploitation. This leads me to a question, what happens when you are doing work for a business that does not have the visibility that you have? You yourself gain that visibility. Let me ask another question. As a pentester or red team member do you ever look for signs of other compromise when on a remote system? The truth is that I don't believe many actually think about doing this when in fact they could be walking on top of the footsteps of threats previous. What? Really? Yes, I hate to rain on the parade but there are groups of people that are smarter or have a wider set of resources that can compromise a system. Worst yet, what if this compromise happen to be APT related. So with this , I propose the idea of doing offensive live response on any of the systems that are compromised and have the appropriate groups look at it. If you company doesn't have a group that have live response scripts it really wouldn't be that hard to do with just a simple auto-runs or possibly process memory dumping. The whole idea would be to just provide enough visibility on a compromised system without setting off alarms that you are there working or interrupting the service on that workstation/server.