[Dailydave] Defeating what's next

Moses moses at moses.io
Thu Jun 13 17:39:53 EDT 2013


Indicators of Compromise or more appropriately those that are Open 
Indicators of Compromise. We have had many proprietary solutions that 
used 'signature based' indicators for a quite a long time. Some of them 
you never could run in an open or customizable fashion like A/V. Can't 
have their secret sauce all over the preverbal industry. Others that you 
could run in an open fashion on an infrastructure, like Snort, were used 
because they are available. Give the unwashed masses something, right?

This whole open IOC thing is an interesting uncovering of that kimono, 
and the emperor... still not naked. What really has happened is 
opportunity finally met demand in this particular area. We had a sector 
of the educated individuals that were tired of sheepily running 
proprietary black box software to attempt to find evidence of 
intrusions, improper system behavior, whatever. There were enough 
reversers now that had data which could be fed...no where. Really? To 
what a SIEM? A vulnerability scanner? Hey scan memory for this. Nope. 
The masses wanted to get debug level access to their OS so that they 
could mine the filesystem, memory spaces, and the network in a targeted 
manner. At scale. In the Amazon, or Joyen Cloud, or whatever. Sorry a 
little bit of hipster came out of that.

It's almost as if the defense type individuals wanted to bring 
themselves to the mid 2000's without all the fancy automation and DevOps 
and stuff.

Now, Is it fitting to use an XML object to hunt for things? Only as 
fitting as it would be to use a relational database to mine for 
relationships. But these of course are ships in the night. At the end of 
the day we only can arrive at a half circle. We feed these standalone 
silo'd tools, which run with 'open source databases' that no one updates 
or feeds, indications that something may be a miss in the hopes of 
finding something, anything. While we struggle and spend our time 
looking at artifacts on systems, we are silently and quietly are being 
pillaged. The raping happened earlier, see above. How do we arrive that 
something was a miss to begin with. Was it the unusual upload of data, 
'exfil', which is just amateur hour? Even if we did arrive at the 
conclusion that something was wrong, by the time you noticed, it was far 
to late to stop them from stealing that uber-highly classified Microsoft 
Slideware.

At a minimum I fancy these Open IOC's, you know because they are open 
and sharing is caring in this case. The challenge is no one really is 
sharing this intelligence in a free and open way. Its awesome that we 
have a nice Object Model and framework, but only those that can afford 
the database will gain the most from it at the moment. Most of those 
that have internal IOC's aren't probably allowed to share them anyway, 
because they can't. Maybe one day someone will build a WikiLeaks for 
IOC's so that those without the means can have a database to run on 
their internal system. Until then....

Here are my indicators of Compromise:

Logical, those that are of OS and Network, the processes, threads, 
handles, dll's, open files, hashes, artifacts, and mutex's of tools and 
components that are unusual. On the network, statistics help, but things 
can lie. We know that all of this can be changed, modified and codified 
to be different, so we decide to score this information maybe lower or 
higher than other pieces of data. Physical, the news paper articles, SEC 
filings, and increased chatter amongst people. Those that need to be 
rationalized, normalized, and scored. I am sure that patterns exist 
between these worlds but no one has yet to create the right experiments 
to maybe find them. Social, the leaks, the talk, the data around who is 
who and what is what. This may just be a big data conversation, there is 
no object model for this one yet, not an open one.

I do have one confession admit, however, somewhere in the haze between 
high school, fast cars, the 90's, flannel, and the ability to resist 
high school habits as an adult; I must have blinked. I am recovering 
now, but i'll never be cured, just one day at a time I supposed.

@mosesrenegade

> Dave Aitel <mailto:dave at immunityinc.com>
> June 12, 2013 10:10 AM
> Hackers spend a lot of time looking at what's coming down the technology
> road at them. In a sense, this business is about learning how to stare
> down the barrel of a gun and not blinking for decades at a time. When
> you blink, you end up a CISSP. Richer financially, but poorer in 0days,
> the only currency that matters to someone with your particular addiction.
>
> Terminology can reveal a lot, as can business strategies. I spent some
> time on the phone yesterday with a high level executive in the incident
> response industry, and he poo-pooed Immunity's offensive skills, which
> made me focus on the industry for a while while watching Covert Affairs
> after the kids went to bed.
>
> First of all, here's what's next in the incident response world:
> "Indicators of Compromise". And when people say that, they right now
> mean MD5s, file names, registry addresses, dns addresses, what addresses
> a trojan hooks, and that sort of thing. All of these things can be
> changed AT RUN TIME, by your better trojans.
>
> In other words, we have an industry focused highly on "indicators of
> compromise", whereas modern high-level attackers have leapfrogged the
> entire concept. The only true indicator of compromise is "computer is
> doing something I probably didn't want it to do", and that's not
> something you can codify in XML.
>
> Something to think about. :>
>
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130613/8989ca90/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130613/8989ca90/attachment.jpg>


More information about the Dailydave mailing list