[Dailydave] Late Friday thoughts on the Kevin Mandia RSAC keynote.

Moses Hernandez moses at moses.io
Sun Mar 23 11:24:03 EDT 2014 

Dave,
  Quick Q: You referring to this particular statement (I paused it):

Highlights - Technical 
- In over 97% of the 2,672 separate APT1 intrusions Mandiant observed (into 141 companies), APT1 used IP addresses registered in Shanghai. 

So that statement tells me that those are just the APT1 intrusions not all of the Mandiant referenced intrusions. APT1 itself is said to use IP addresses registered in Shanghai. Is that by itself clever misdirection? Maybe. Are there other ‘APT’ style groups that go undetected from various nations? I remember a talk (maybe from Nico Waisman) about badly written exploits leading to discovery of intrusions. If that theory is to be held true, then does that account for exploit quality in looking at developed vs emerging markets?  

As for NextGen firewalls themselves, full disclosure I work for Cisco who makes NGFW products, and I find that many of my customers are implementing them because they have none the political willpower or the technical ability to implement sufficient egress filtering. You could get 90% of the functionality with a Web Proxy that has applicationID built in. Although you can add a bit more context to IPS with Open AppID which is what Sourcefire and is now open sourced here: http://blog.snort.org/2014/03/firing-up-openappid.html . But your right, AppID or not people and organizations will be the ones that ultimately drive a ‘better’ answer to the issue. This year I’ll be giving more ‘community’ focused talks on Security and this conceptual ideal of 'DevOps'. In those talks, I hope to espouse some better thought practices, attack and defend wise (AttackOps and DefendOps?), maybe the attackers and the defenders don’t have asymmetric warfare, but the way we culturally have built our companies infrastructures from a people point of view has done that.

As for ‘is monitoring expensive’. I think today telemetry in most networks doesn’t exist, and the tools that do exist are markedly expensive. Over time those trends will more downward. I look at Flume + Hadoop (or any distributed key/value database like Riak …), Logly, and other ‘data’ tools that the startup community has started to bring forward to get a better grasp over web application analytics we should look and embrace those. Maybe its just like I put in a slide: Go to school - pick up some new skillZ.

Till then
-M
@mosesrenegade


On Mar 21, 2014, at 5:13 PM, Dave Aitel <dave at immunityinc.com> wrote:

> http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report
> 
> If 97% of the breaches you find are directly attributable to Chinese
> hackers (aka, due to keyboard language settings, C2 IP, etc.) then how
> much are you missing?! Boggles the mind. You're telling me you don't see
> Russians, French, Americans, Israelis, etc. anywhere in the world?
> Something seems wrong with that number.
> 
> A lot of what people do is look for "Indications of Compromise" that are
> essentially C2 domains. But realistically you don't need a lot of C2 for
> an implant. And a nation-state that  can "Be any IP in the world", or in
> fact has any decent SIGINT, can easily find ways to not need domains, to
> be any domain, or to be every domain. This includes China, for what it's
> worth.
> 
> I see a lot of ads (f.e. from Sourcefire) for Next Gen firewalls. But
> current gen implants are already able to take on next gen firewalls just
> fine.
> 
> Talk also includes silliness such as the "asymmetric" argument
> ("Attackers only need to get  in once, defenders have to defend
> everything...") and some sort of weird idea that offensive tools are
> less well QA'd than defensive tools. (Which is absolutely not true).
> 
> Look, deep down, monitoring is expensive. And if you're trying to scale
> it up on the cheap, you end up inventing the anti-virus, which we
> already know is not a bad idea. This is the problem people are trying to
> solve, and it's still pretty unsolved, imho.
> 
> -dave
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140323/ca66d966/attachment.sig>

More information about the Dailydave mailing list