[Dailydave] Late Friday thoughts on the Kevin Mandia RSAC keynote.

Dave Aitel dave at immunityinc.com
Fri Mar 21 17:13:04 EDT 2014


http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report

If 97% of the breaches you find are directly attributable to Chinese
hackers (aka, due to keyboard language settings, C2 IP, etc.) then how
much are you missing?! Boggles the mind. You're telling me you don't see
Russians, French, Americans, Israelis, etc. anywhere in the world?
Something seems wrong with that number.

A lot of what people do is look for "Indications of Compromise" that are
essentially C2 domains. But realistically you don't need a lot of C2 for
an implant. And a nation-state that  can "Be any IP in the world", or in
fact has any decent SIGINT, can easily find ways to not need domains, to
be any domain, or to be every domain. This includes China, for what it's
worth.

I see a lot of ads (f.e. from Sourcefire) for Next Gen firewalls. But
current gen implants are already able to take on next gen firewalls just
fine.

Talk also includes silliness such as the "asymmetric" argument
("Attackers only need to get  in once, defenders have to defend
everything...") and some sort of weird idea that offensive tools are
less well QA'd than defensive tools. (Which is absolutely not true).

Look, deep down, monitoring is expensive. And if you're trying to scale
it up on the cheap, you end up inventing the anti-virus, which we
already know is not a bad idea. This is the problem people are trying to
solve, and it's still pretty unsolved, imho.

-dave


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140321/3edafc99/attachment.sig>


More information about the Dailydave mailing list