Monday, December 19, 2011

Tools and News

So first an announcement. At the beginning of December (or close to that) I left my previous position and went back to KoreLogic Security, where I will be working to start up their malware services group, amongst other things. While I am definitely missing my old co-workers, this is a good move for me. Look for some interesting posts here.

A few weeks ago I tweeted: Want to find out how good someone is? Take away all their tools and say, "Now do it.". I wanted to make expand upon that because I got into a good discussion with @jwgoerlich and @rogueclown concerning it, and its hard to really explain what you mean in 140 characters or less.

A few years ago, Harlan Carvey posted about "Nintendo forensics". This was a statement that the forensic industry was becoming more "point and click" and analysts were understanding less and less of what the tools were doing. While some signs have pointed that this is starting to become less prevalent, I believe there are still niches in security where this is either in full-force or starting to become more so.

Fast forward to the present. In the last few weeks I've been building my new work computer while analyzing malware as I get the time. Unfortunately, I do not have all the tools I am used to since I'm waiting for things to be purchased, arrive, etc. This got me thinking - how much do I rely on tools? Could I perform the analysis I needed using that I know?

Now I realize that in information security, or IT in general, its almost impossible to do anything without having tools. Thats not my point - I'm not suggesting that we take away everyone's tools and tell them to analyze malware or perform a pen-test with nothing but a blank OS. Is it possible? I'm sure it is. Would anyone want to? Hell no!

My point was that you never really know how good you are, until you are faced with a situation when you are taken out of your comfort zone and have to rely upon your knowledge and the tools available to you at the moment. I don't always have access to a commercial version of IDA Pro. Does that mean I can't disassemble malware and analyze it? No - I just need to be flexible, use tools that I'm not as used to and use my brain just a little bit more.

I think its a useful exercise in anyone's career to do this. Imagine for a moment that you didn't have the tool(s) you use most in your job - how would you perform your job? What alternatives are available to you and how familiar you are with them? I'm as guilty as anyone else for relying upon specific tools, but this little exercise has helped me look and see where my weak areas are and how I can supplement them.

Perhaps I should have instead tweeted "Want to find out how good you are? Take away all your tools and say, Now do it." That seems to fit my point better.