[Dailydave] The New York Times Plays with Fire

david laumann dave.laumann at gmail.com
Mon Feb 4 14:46:16 EST 2013 

On Fri, Feb 1, 2013 at 4:19 PM, Dave Aitel <dave at immunityinc.com> wrote:
> In other words, playing games with hackers on your network for a story
> is a fundamentally bad idea. Because at some point, you're going to find
> a contractor who screws up and doesn't follow their own policy (or can't
> type) and it's going to take down your whole business.

not sure if i agree that the org allowed the attack to fester to build
a story, (though a good point on policy). i cannot dismiss too easily
the implied reason the hackers were allowed to play for so long: the
big bang shut out. consider the org was already compromised long
before either consulting firm was called in (the article hints at
this). compromised to what extent, though? clients comp'd, servers
comp'd, active c2s, beachheads, backup passive malz installed,
infrastructure mapped, passwords dumped? where does an org begin with
its mitigation? piecemeal? rebuild a client or server only to find
another pops right up? change all passwords only to have them dumped
again? the article even suggests this piecemeal approach was tried,
"when it became clear that attackers were still inside its systems
despite efforts to expel them". that to me is the interesting line in
the article.

certainly the longer the adversary has the opportunity to operate the
greater the chance for mistakes, further compromise, or exfil. though,
i doubt the org was really in control and they didn't allow the
adversary to operate in as much as the adversary had dominance.

also on the point of taking down a business, consider, en masse
password change for a large number of accounts (user, service, etc.).
now, that is one disruptive event.

so, i suspect the significance of allowing the adversary to operate
freely was tied to gaining control back vs. say building a story. in
this case time will tell and perhaps a follow-up article if it was a
good thing vs. just whack-a-mole'ing along (funny google wants to
autocorrect that to whack-a-molesting -who knew? google: advocate of
mole abuse awareness). of course whack-a-mole can be very effective
but only after you've achieved control.

-dave

More information about the Dailydave mailing list