[Dailydave] C2
Dan Guido
dguido at gmail.com
Mon Mar 3 13:48:38 EST 2014
I explicitly challenged this notion ("the defender's dilemma") in research
I presented a few years back (http://www.trailofbits.com/research/#eip).
Attackers have limited resources and can't afford to invest equally in
every potential opportunity for exploitation, persistence, C2, etc. You
start to make tradeoffs about which ones work in the most situations or
satisfy other requirements you have. It's as applicable to "APT" as it is
to mass malware.
It's exactly this line of thinking that led us to build Javelin (
javelinsecurity.com), which helps you measure and understand the efficacy
of common attacker strategies against your network. Our goal is to force an
attacker's dilemma, make *them* make the difficult decisions and the
expensive investments in new tools, training and systems.
Several other papers on the same topic from MSR/WEIS:
http://weis2010.econinfosec.org/papers/session5/weis2010_herley.pdf
http://weis2011.econinfosec.org//papers/Where%20Do%20All%20the%20Attacks%20Go.pdf
On Mon, Mar 3, 2014 at 12:03 PM, Dave Aitel <dave at immunityinc.com> wrote:
> One rather facetious saying that has annoyed everyone for a while is the
> whole "defenders have to protect everything, attackers just have to get
> in once" meme. If you talk to defenders who are "leading" with new
> technologies and techniques, the difference really does blur quite a
> bit. I was happily surprised at the Tenable offsite to hear their big
> customers describe their continuous monitoring and SIEM analytics
> techniques as their network "Command and Control". It's a useful change
> to a more sophisticated mindset. You don't hear people really
> acknowledging an advanced persistent defense that often. :>
>
> Of course, building proper C2C while under attack is itself very hard.
> People very quickly fall into the "Big Data" trap - we try to caution
> Justin from collecting more than he has to with El Jefe. We don't want
> "Big Data" analysis. We want "Just enough data" analysis!
>
> -dave
>
>
>
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140303/c42fd00c/attachment-0001.html>
More information about the Dailydave
mailing list