[Dailydave] Improvements

Jordan Wiens jordan at psifertex.com
Wed Feb 15 11:46:34 EST 2017

When I last played defender over a decade ago at a large university, we
built what sounds like exactly the same sort of system. It was an ugly mess
of perl and it worked fantastically. The rules were crude and didn't have
nearly the visibility into the network (partially because the host
inspection technologies didn't exist and partially because as a university
security engineering you often don't have permission to touch most of the
endpoints on your network), but we were wiring up the more reliable IDS
signatures, DNS queries, and flow data indicators to:

- our campus captive portal to de-auth
- automatic emails to users and network administrators with specific
remediation information
- blackhole routes for managed machines until the local admin
self-certified the host was cleaned
- or in some cases, disable the user's login for repeat offenders of
non-university machines until they visited the helpdesk to get cleaned

At the time the signatures that were effective were mostly super dumb.
Stuff like visiting known IRC C&C servers and channels, but it worked. It
required manual effort to constantly tune actions and inputs, but it was a
heck of a lot easier than trying to fight that flood by hand.

It sounds like the specific actions and data ingests might be different,
but the idea of rolling your own automated system hasn't changed a bit in
ten years. Surprised to not hear more about the approach, but agree
completely that no one vendor does it, and yet every vendor can easily be a
part of it.

On Wed, Feb 15, 2017 at 10:59 AM, Dave Aitel <dave.aitel at gmail.com> wrote:

> http://www.securityweek.com/crowdstrike-sues-nss-labs-
> prevent-publication-test-results
> [image: fRPrLXf.jpg]
> One thing I've had problems with is learning that people can "get gud".
> It's one of the reasons I always cringe at the inevitable policy trope of
> "Cyber war is easier for attackers than defenders. Yesterday I was talking
> to a professional CISO - one of the ones I've known for years out of the
> NYC scene. He's like "Yes, individually none of the stuff anyone sells you
> works at all. But once you connect, say, Bromium, to the BlueCoat API with
> a bit of analysis glue you can have five minute response metrics, where
> once you find any anomaly, you can do memory searches for that running
> anywhere in your org, then automatically stuff those machines on their own
> "When I join a new org, whatever random vendors they've bought into, I can
> make that really work. It does't really matter what they have, as long as
> they have something."
> Automated response has always been the real market. I can see people
> actually DOING it now, even though no product vendor wants to talk about
> it. And it's one of the few things that actually scares me as an attacker.
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170215/a15a288e/attachment.html>

More information about the Dailydave mailing list