<div dir="auto">Daemonlogger + Zeek Intelligence Framework for sightings. Doesn't need TLS secrets. Doesn't need high availability or to run inline. The sensors tell you what they see and where and when they saw it. No need to block. No need to "detect". No signatures at all (just a living watchlist). No AI/ML. No modification of traffic. No huge concern if an APT, skiddie, or admin crashes it (it's receive-only on the Daemonlogger interfaces, right?). You don't even need to save any pcap or flow/sess data or metadata! <div dir="auto"><br></div><div dir="auto">For SMTP/ESMTP/Submission services try <a href="http://emailrelay.sf.net">emailrelay.sf.net</a> and run Yara across the headers. ReversingLabs and some trustgroups maintain/share rules especially checking rfc2822 content-type and message-id. </div><div dir="auto"><br></div><div dir="auto">NSM, NIDS, NIPS, NFA, and Network Forensics are dead but Sighting and Gating concepts are not. </div><div dir="auto"><br></div><div dir="auto">For cloud, there's always Prisma Cloud and/or CRFT.app. For containers: eBPF, Sysdig, Capsule8, et al.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2019, 12:15 PM John Lampe <<a href="mailto:jlampe@tenable.com" target="_blank" rel="noreferrer">jlampe@tenable.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I think Dave nailed it when he said "anomaly detection algorithm". There is still value in being able to take netflow data, ip intel, protocol hashing and enumeration (even encrypted ones), client fingerprinting, and a lot of other things and bringing that all together. Call it a NIDS, passive scanner, whatever...it's still an integral part of security. oh, and the places where those tools live is prime real estate. If you're doing IR or hunting, you'll be wanting access to those tree stands.</div><div><br></div><div>John<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2019 at 1:30 PM Allen DeRyke <<a href="mailto:allen.deryke@gmail.com" rel="noreferrer noreferrer" target="_blank">allen.deryke@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature">Network security monitoring is alive and well; netflow, bro, zeek, and packet capture are incredibly valuable data sources for DFIR and "threat hunting" purposes; however signature-based IDS as a primary detection mechanism has always been a bit of a story that vendors sell blue teams to sleep better at night. The metadata tools do raise the bar for your adversaries opsec, and the ugly reality is that these tools help us "get lucky" with detection. This audience is well aware that there will always be an environmental niche for the ruthlessly opportunistic species be it blue, red, or salesy.</div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature"><br></div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature">This isn't to say there isn't a place for a "good IDS analyst" closely managing a "well-designed" sensor rollout and a "tailored" signature set, but the ROI of getting all three things right in 2019 is rarely comparable to alternative investments; </div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature"><br></div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature">We know what's going on though... Somebody out there needs to continue funding expeditions for the lost golden city of El Dorado and when they find it the joke will be on all of us for not purchasing more supplies from the superior outfitter that's obviously enabled them to be such good treasure hunters.</div></div><div class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature"><br></div></div><div dir="ltr"><div><div dir="ltr" class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature">-- Allen Deryke</div></div><div dir="ltr" class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail_signature"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2019 at 7:18 AM Chris Rohlf <<a href="mailto:chris.rohlf@gmail.com" rel="noreferrer noreferrer" target="_blank">chris.rohlf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">I think netflows have a lot of value in production and corp environments. But if the question is ‘can NIDS, now or in the future, detect client side remotes against scriptable targets’ then the answer is a resounding no. NIDS in server environments simply can’t scale up enough or model the complex tech stacks they sit in front of.</div><div dir="auto"><br></div><div dir="auto">Sure you can write a signature to match a single exploit instance but its easily bypassed, and requires reducing the security of TLS everywhere to that of an unmanaged, and likely unpatched, linux box that stores your private keys at the same privilege level of the program that parses complex file and protocol structures from untrusted sources.</div><div dir="auto"><br></div><div dir="auto">We haven’t even gotten into how badly this weakens good service mesh architectures with mutual TLS. Any good security leadership wants metrics but its risk calculations like this that almost always go unnoticed.</div></div><div dir="auto"><br></div><div dir="auto">Chris</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 7:15 PM Anton Chuvakin <<a href="mailto:anton@chuvakin.org" rel="noreferrer noreferrer" target="_blank">anton@chuvakin.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Wow, indeed, so 2007, this brings back memories .... <div><br></div><div>But on a more serious note: do you guys truly think that network security monitoring (whether NIDS, network forensics / capture, "NTA / NDR", Bro / Zeek and such) is "dead dead"? And there no hope for any zombie-apocalypse-style revival? :-)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 2:41 PM Chris Rohlf <<a href="mailto:chris.rohlf@gmail.com" rel="noreferrer noreferrer" target="_blank">chris.rohlf@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">I’ve been happily ignoring Twitter the last few weeks so when I saw a DD post come in I got excited and felt nostalgic for 2007, which coincidentally this thread reminds me of. Not just because Dave is trolling Rob but also because I thought the idea of network based protocol and file parsers died around that time. How many HTTP implementation quirks does the Snort engine implement these days? Back then it was almost none. But what about now? Trick question, it doesn’t matter.</div><div dir="auto"><br></div><div dir="auto">Theres not enough memory or cpu in your average NIDS (or whatever they’re called now) to possibly keep state while monitoring the traffic volume in any real production deployment.</div><div dir="auto"><br></div><div dir="auto">I suppose theres only one RDP implementation whose quirks are worth reimplementing, but what are the chances they did it better than Microsoft? Does the MITM have as many mitigations as a modern Msft server OS? And are you willing to trust it with all those private keys? Does the MITM box have 2fa auth? Role based acl’s? What other disk did that key touch after your team exported it? If you’re a CISO who is losing sleep over these exploits but are not asking the questions above then you may not have your priorities straight.</div><div dir="auto"><br></div></div><div dir="auto">Chris</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 5, 2019 at 11:03 AM Dave Aitel <<a href="mailto:dave.aitel@gmail.com" rel="noreferrer noreferrer" target="_blank">dave.aitel@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><a href="https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html" rel="noreferrer noreferrer" target="_blank">https://blog.talosintelligence.com/2019/09/the-latest-on-bluekeep-and-dejablue.html</a><br><div><br></div><div>Ok, so as someone pointed out in private email, they have a blog that goes through a 20 step process to exporting your private key from your RDP server to the MITM box that is parsing the protocol. I think this is an unlikely configuration, but in theory it IS possible. An anomaly detection algorithm might be a better option for real world detection, even though it is not specific to the bug. </div><div><br></div><div>In other words, just to annoy Rob Graham, maybe network defenses can't really find every bug they want to - not just because they should not be edge-devices with vast repositories of every private key on your network, but because parsing requires state and state requires memory and you don't have infinite memory. </div><div><br></div><div><a href="https://vimeo.com/357848836" rel="noreferrer noreferrer" target="_blank">https://vimeo.com/357848836</a> <---also watch the INFILTRATE teaser! :)<br></div><div><br></div><div>ALSO: I'm headed to Tel Aviv next week if there's any infosec stuff happening there and anyone wants to say hi! </div></div><div dir="ltr"><div><br></div><div>-dave</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 4, 2019 at 12:57 PM Dave Aitel <<a href="mailto:dave.aitel@gmail.com" rel="noreferrer noreferrer" target="_blank">dave.aitel@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>So I like the BLUEKEEP marketing train because it's a very hard bug to detect authoritatively for either endpoint protection or for network-based defenses. So when companies make claims about it, it's worth asking how they did that. Twitter is a terrible place for that, but since I know everyone in the industry who does this kind of thing is on this list I figured I'd ask here...</div><div><br></div><div>-dave</div><div><br></div><div><br></div><a href="https://twitter.com/daveaitel/status/1169265348669005825" rel="noreferrer noreferrer" target="_blank">https://twitter.com/daveaitel/status/1169265348669005825</a><br><div><br></div><div><div><img src="https://mail.google.com/mail/?ui=2&ik=5fabd144a0&attid=0.1&th=16d0862c23b91f17&view=fimg&rm=16d0862c23b91f17&sz=w1600-h1000&attbid=ANGjdJ_Pl5AdTUiG0vxrF6BIJvb7kaHrP3pI-nSJWdRvte5B9yNUabijj0NPROGrzCH-7ik0KG7X81uCpnOD4byGeyuBpUsPoSjsJviSBTf3R1pdC3InzCgoHh0nHyY&disp=emb&realattid=ii_k05i3ixi0&zw" alt="image.png" style="width:544px;max-width:100%"><br></div></div><div><br></div></div>
</blockquote></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" rel="noreferrer noreferrer" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" rel="noreferrer noreferrer" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_4155690735761660985m_3203427560290699803gmail-m_7278672739315998916m_3288107358881505401gmail-m_8229583683802403097m_7770323625253069852gmail_signature">Dr. Anton Chuvakin<br>Site: <a href="http://www.chuvakin.org" rel="noreferrer noreferrer" target="_blank">http://www.chuvakin.org</a><br>Twitter: @anton_chuvakin<br>Work: <a href="http://www.linkedin.com/in/chuvakin" rel="noreferrer noreferrer" target="_blank">http://www.linkedin.com/in/chuvakin</a><br>Blog: <a href="https://blogs.gartner.com/anton-chuvakin/" rel="noreferrer noreferrer" target="_blank">https://blogs.gartner.com/anton-chuvakin/</a></div>
</blockquote></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" rel="noreferrer noreferrer" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" rel="noreferrer noreferrer" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" rel="noreferrer noreferrer" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>