<div dir="ltr"><div>I agree with Chris, and I like Anton's question: usually the people who say NIDS is dead are those who are complaining that NIDS doesn't do some thing that they think NIDS should and does not do - case in point, detecting all evil. NIDS is not the answer to securing a network but then, nothing is *the* answer. As a veteran of a lot of incident responses, I can state that most of the time, the network is not owned by super ninjas - or if it is, they're not using their super-secret ninja shit, they're using something far easier to spot. We have long said that your adversary never sends in the A team when the D team can get the job done, and the sad truth is that still, ten years after I started saying that, this is the case. So the idea that NIDS is bad because it doesn't see really super cool shit is just not seeing the reality of most networks - as I work here in government, I see people taken down regularly by ransomware...ransomware. That speaks to a level of suck that raises another point: even in a well-monitored, well run network with good visibility, running NIDS is cheap and non-disruptive enough to give it some value to point out when something unexpected or weird happens, and THAT does in fact have a lot of value. Similarly, the ability to see network flows and understand basic things like top talkers, and what looks "normal," and how many devices you have on a network and where - these are hugely important things to know or be able to look up quickly (and they are the things that people who have security incidents have the least). So, I don't think it's that NIDS is not the answer, I just think we have to agree on the question. <br> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2019 at 7:19 AM Chris Rohlf <<a href="mailto:chris.rohlf@gmail.com">chris.rohlf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">I think netflows have a lot of value in production and corp environments. But if the question is ‘can NIDS, now or in the future, detect client side remotes against scriptable targets’ then the answer is a resounding no. NIDS in server environments simply can’t scale up enough or model the complex tech stacks they sit in front of.</div><div dir="auto"><br></div><div dir="auto">Sure you can write a signature to match a single exploit instance but its easily bypassed, and requires reducing the security of TLS everywhere to that of an unmanaged, and likely unpatched, linux box that stores your private keys at the same privilege level of the program that parses complex file and protocol structures from untrusted sources.</div><div dir="auto"><br></div><div dir="auto">We haven’t even gotten into how badly this weakens good service mesh architectures with mutual TLS. Any good security leadership wants metrics but its risk calculations like this that almost always go unnoticed.</div></div><div dir="auto"><br></div><div dir="auto">Chris</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 7:15 PM Anton Chuvakin <<a href="mailto:anton@chuvakin.org" target="_blank">anton@chuvakin.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Wow, indeed, so 2007, this brings back memories .... <div><br></div><div>But on a more serious note: do you guys truly think that network security monitoring (whether NIDS, network forensics / capture, "NTA / NDR", Bro / Zeek and such) is "dead dead"? And there no hope for any zombie-apocalypse-style revival? :-)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 2:41 PM Chris Rohlf <<a href="mailto:chris.rohlf@gmail.com" target="_blank">chris.rohlf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">I’ve been happily ignoring Twitter the last few weeks so when I saw a DD post come in I got excited and felt nostalgic for 2007, which coincidentally this thread reminds me of. Not just because Dave is trolling Rob but also because I thought the idea of network based protocol and file parsers died around that time. How many HTTP implementation quirks does the Snort engine implement these days? Back then it was almost none. But what about now? Trick question, it doesn’t matter.</div><div dir="auto"><br></div><div dir="auto">Theres not enough memory or cpu in your average NIDS (or whatever they’re called now) to possibly keep state while monitoring the traffic volume in any real production deployment.</div><div dir="auto"><br></div><div dir="auto">I suppose theres only one RDP implementation whose quirks are worth reimplementing, but what are the chances they did it better than Microsoft? Does the MITM have as many mitigations as a modern Msft server OS? And are you willing to trust it with all those private keys? Does the MITM box have 2fa auth? Role based acl’s? What other disk did that key touch after your team exported it? If you’re a CISO who is losing sleep over these exploits but are not asking the questions above then you may not have your priorities straight.</div><div dir="auto"><br></div></div><div dir="auto">Chris</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 11:03 AM Dave Aitel <<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><a href="https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html" target="_blank">https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html</a><br><div><br></div><div>Ok, so as someone pointed out in private email, they have a blog that goes through a 20 step process to exporting your private key from your RDP server to the MITM box that is parsing the protocol. I think this is an unlikely configuration, but in theory it IS possible. An anomaly detection algorithm might be a better option for real world detection, even though it is not specific to the bug. </div><div><br></div><div>In other words, just to annoy Rob Graham, maybe network defenses can't really find every bug they want to - not just because they should not be edge-devices with vast repositories of every private key on your network, but because parsing requires state and state requires memory and you don't have infinite memory. </div><div><br></div><div><a href="https://vimeo.com/357848836" target="_blank">https://vimeo.com/357848836</a> <---also watch the INFILTRATE teaser! :)<br></div><div><br></div><div>ALSO: I'm headed to Tel Aviv next week if there's any infosec stuff happening there and anyone wants to say hi! </div></div><div dir="ltr"><div><br></div><div>-dave</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 4, 2019 at 12:57 PM Dave Aitel <<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>So I like the BLUEKEEP marketing train because it's a very hard bug to detect authoritatively for either endpoint protection or for network-based defenses. So when companies make claims about it, it's worth asking how they did that. Twitter is a terrible place for that, but since I know everyone in the industry who does this kind of thing is on this list I figured I'd ask here...</div><div><br></div><div>-dave</div><div><br></div><div><br></div><a href="https://twitter.com/daveaitel/status/1169265348669005825" target="_blank">https://twitter.com/daveaitel/status/1169265348669005825</a><br><div><br></div><div><div><img src="cid:ii_k05i3ixi0" alt="image.png" style="width: 544px; max-width: 100%;"><br></div></div><div><br></div></div>
</blockquote></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-4393701219192681756m_7770323625253069852gmail_signature">Dr. Anton Chuvakin<br>Site: <a href="http://www.chuvakin.org" target="_blank">http://www.chuvakin.org</a><br>Twitter: @anton_chuvakin<br>Work: <a href="http://www.linkedin.com/in/chuvakin" target="_blank">http://www.linkedin.com/in/chuvakin</a><br>Blog: <a href="https://blogs.gartner.com/anton-chuvakin/" target="_blank">https://blogs.gartner.com/anton-chuvakin/</a></div>
</blockquote></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>