[Dailydave] Defeating what's next
Moses
moses at moses.io
Thu Jun 13 17:39:53 EDT 2013
Indicators of Compromise or more appropriately those that are Open
Indicators of Compromise. We have had many proprietary solutions that
used 'signature based' indicators for a quite a long time. Some of them
you never could run in an open or customizable fashion like A/V. Can't
have their secret sauce all over the preverbal industry. Others that you
could run in an open fashion on an infrastructure, like Snort, were used
because they are available. Give the unwashed masses something, right?
This whole open IOC thing is an interesting uncovering of that kimono,
and the emperor... still not naked. What really has happened is
opportunity finally met demand in this particular area. We had a sector
of the educated individuals that were tired of sheepily running
proprietary black box software to attempt to find evidence of
intrusions, improper system behavior, whatever. There were enough
reversers now that had data which could be fed...no where. Really? To
what a SIEM? A vulnerability scanner? Hey scan memory for this. Nope.
The masses wanted to get debug level access to their OS so that they
could mine the filesystem, memory spaces, and the network in a targeted
manner. At scale. In the Amazon, or Joyen Cloud, or whatever. Sorry a
little bit of hipster came out of that.
It's almost as if the defense type individuals wanted to bring
themselves to the mid 2000's without all the fancy automation and DevOps
and stuff.
Now, Is it fitting to use an XML object to hunt for things? Only as
fitting as it would be to use a relational database to mine for
relationships. But these of course are ships in the night. At the end of
the day we only can arrive at a half circle. We feed these standalone
silo'd tools, which run with 'open source databases' that no one updates
or feeds, indications that something may be a miss in the hopes of
finding something, anything. While we struggle and spend our time
looking at artifacts on systems, we are silently and quietly are being
pillaged. The raping happened earlier, see above. How do we arrive that
something was a miss to begin with. Was it the unusual upload of data,
'exfil', which is just amateur hour? Even if we did arrive at the
conclusion that something was wrong, by the time you noticed, it was far
to late to stop them from stealing that uber-highly classified Microsoft
Slideware.
At a minimum I fancy these Open IOC's, you know because they are open
and sharing is caring in this case. The challenge is no one really is
sharing this intelligence in a free and open way. Its awesome that we
have a nice Object Model and framework, but only those that can afford
the database will gain the most from it at the moment. Most of those
that have internal IOC's aren't probably allowed to share them anyway,
because they can't. Maybe one day someone will build a WikiLeaks for
IOC's so that those without the means can have a database to run on
their internal system. Until then....
Here are my indicators of Compromise:
Logical, those that are of OS and Network, the processes, threads,
handles, dll's, open files, hashes, artifacts, and mutex's of tools and
components that are unusual. On the network, statistics help, but things
can lie. We know that all of this can be changed, modified and codified
to be different, so we decide to score this information maybe lower or
higher than other pieces of data. Physical, the news paper articles, SEC
filings, and increased chatter amongst people. Those that need to be
rationalized, normalized, and scored. I am sure that patterns exist
between these worlds but no one has yet to create the right experiments
to maybe find them. Social, the leaks, the talk, the data around who is
who and what is what. This may just be a big data conversation, there is
no object model for this one yet, not an open one.
I do have one confession admit, however, somewhere in the haze between
high school, fast cars, the 90's, flannel, and the ability to resist
high school habits as an adult; I must have blinked. I am recovering
now, but i'll never be cured, just one day at a time I supposed.
@mosesrenegade
> Dave Aitel <mailto:dave at immunityinc.com>
> June 12, 2013 10:10 AM
> Hackers spend a lot of time looking at what's coming down the technology
> road at them. In a sense, this business is about learning how to stare
> down the barrel of a gun and not blinking for decades at a time. When
> you blink, you end up a CISSP. Richer financially, but poorer in 0days,
> the only currency that matters to someone with your particular addiction.
>
> Terminology can reveal a lot, as can business strategies. I spent some
> time on the phone yesterday with a high level executive in the incident
> response industry, and he poo-pooed Immunity's offensive skills, which
> made me focus on the industry for a while while watching Covert Affairs
> after the kids went to bed.
>
> First of all, here's what's next in the incident response world:
> "Indicators of Compromise". And when people say that, they right now
> mean MD5s, file names, registry addresses, dns addresses, what addresses
> a trojan hooks, and that sort of thing. All of these things can be
> changed AT RUN TIME, by your better trojans.
>
> In other words, we have an industry focused highly on "indicators of
> compromise", whereas modern high-level attackers have leapfrogged the
> entire concept. The only true indicator of compromise is "computer is
> doing something I probably didn't want it to do", and that's not
> something you can codify in XML.
>
> Something to think about. :>
>
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130613/8989ca90/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130613/8989ca90/attachment.jpg>
More information about the Dailydave
mailing list