[Dailydave] Defeating what's next

Vitaly Osipov vitaly.osipov at gmail.com
Thu Jun 13 00:59:49 EDT 2013 

… or, Ptolemaic model of the solar system of infosec.

Required reading: https://en.wikipedia.org/wiki/Deferent_and_epicycle

In all enterprise-y security courses they will teach you that there
are several components to defence processes:

10. If you can, try to prevent bad guys getting to you
20. If you cannot, try to detect an attempt to get in before it succeeds
30. If you cannot detect attempts, aim to detect whether you've been compromised
40. If you've been compromised, do incident response and clean up

(Imagine your enterprise assets is the Sun and those 4 items are planets)

When the reality demonstrates that the current approach to any of the
components is inadequate, it gets updated with "smarter" technology.

What this "smarter" technology comprises changes with time, but it
always goes through stages of

1. Signatures, then
2. Some sort of local behaviour analysis, then
3. Big data, then
4. Whatever the market fancies

(These are the epicycles in Ptolemy's system)

Examples:
- AV is stuck on line 20 with a few epicycles under its belt;
- IoC is line 30, only just at the beginning of its series of epicycles.

The main take away here is that the defending side is, unfortunately,
retreating. Those "let's clean up compromises quicker" contests Spaf
was lamenting recently only illustrate this tendency further.
The other take-away is that I love lists…

Oh and if someone comes up with a Copernican concept of security,
please tell me. I have to be part of that.

Regards,
Vitaly


On Thu, Jun 13, 2013 at 12:10 AM, Dave Aitel <dave at immunityinc.com> wrote:
> Hackers spend a lot of time looking at what's coming down the technology
> road at them. In a sense, this business is about learning how to stare
> down the barrel of a gun and not blinking for decades at a time. When
> you blink, you end up a CISSP. Richer financially, but poorer in 0days,
> the only currency that matters to someone with your particular addiction.
>
> Terminology can reveal a lot, as can business strategies. I spent some
> time on the phone yesterday with a high level executive in the incident
> response industry, and he poo-pooed Immunity's offensive skills, which
> made me focus on the industry for a while while watching Covert Affairs
> after the kids went to bed.
>
> First of all, here's what's next in the incident response world:
> "Indicators of Compromise". And when people say that, they right now
> mean MD5s, file names, registry addresses, dns addresses, what addresses
> a trojan hooks, and that sort of thing. All of these things can be
> changed AT RUN TIME, by your better trojans.
>
> In other words, we have an industry focused highly on "indicators of
> compromise", whereas modern high-level attackers have leapfrogged the
> entire concept.  The only true indicator of compromise is "computer is
> doing something I probably didn't want it to do", and that's not
> something you can codify in XML.
>
> Something to think about. :>
>
> -dave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list