As demonstrated in the recent iframe attacks, a lot of people knew that something was going on. The challenge is how to collect all of that information and present it in a way that the community finds useful.
The first step in making information useful is to identify your target audience. For today’s example our target audience is going to be system and network administrators (since this is for SANS, that makes a logical choice, but other potential target audiences would be IT management, or security researchers.)
Now that the audience it defined, it’s time to collect what questions they really need answered when there is an ongoing malware campaign. What do network and system administrators need to know?
I hope to keep these questions in mind when writing up alerts for the Handler’s diary. Once I have Actionable as a repeatable process, I’ll work more on Timely.
Mar 15th 2008
1 decade ago