[Dailydave] Defeating what's next
Dave Aitel
dave at immunityinc.com
Wed Jun 12 10:10:05 EDT 2013
Hackers spend a lot of time looking at what's coming down the technology
road at them. In a sense, this business is about learning how to stare
down the barrel of a gun and not blinking for decades at a time. When
you blink, you end up a CISSP. Richer financially, but poorer in 0days,
the only currency that matters to someone with your particular addiction.
Terminology can reveal a lot, as can business strategies. I spent some
time on the phone yesterday with a high level executive in the incident
response industry, and he poo-pooed Immunity's offensive skills, which
made me focus on the industry for a while while watching Covert Affairs
after the kids went to bed.
First of all, here's what's next in the incident response world:
"Indicators of Compromise". And when people say that, they right now
mean MD5s, file names, registry addresses, dns addresses, what addresses
a trojan hooks, and that sort of thing. All of these things can be
changed AT RUN TIME, by your better trojans.
In other words, we have an industry focused highly on "indicators of
compromise", whereas modern high-level attackers have leapfrogged the
entire concept. The only true indicator of compromise is "computer is
doing something I probably didn't want it to do", and that's not
something you can codify in XML.
Something to think about. :>
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130612/1bd9f377/attachment.sig>
More information about the Dailydave
mailing list