[Dailydave] The Blue Pill of Threat Intelligence
Matthew Wollenweber
mwollenweber at gmail.com
Thu Oct 16 13:14:42 EDT 2014
Foremost, I love your observation that: "[threat intel products] offers
malware analysis, even though the massively expensive undertaking helps
nobody but the threat intelligence company, as it resells that information
to other customers. I find that who system/approach to be unethical and my
best to keep my employer out of those systems. However, threat intel can be
useful to enterprises in a variety of mechanisms. First, it provides
specific indicators that can be blocked or thwarted. For any specific
enterprise, that's one less thing. One can argue there's always another
vector, which is true but that's an implicit argument with any open ended
problem. However,it leads to a second observation that if trusted
communities can share threat intel (or even if untrusted communities can
share fast enough) it significantly drives up cost for the attacker. Again
the attacker can change, but it gets expensive/troublesome to do so
rapidly. If you talk to many threat intel guys they dig into the known
actors because they reuse so many resources, techniques, code etc. Causing
them to change more rapidly might make efforts unprofitable (when profit is
the goal) or too expensive. Because I see this utility, my struggle is how
to obtain and share the labor intensive work given that companies want to
make money and without the shady business of semi-sharing and reselling.
I'm unsure about your assertion "Instead, they've been taught to look at a
compromised computer to see what processes they can remove to make it clean
again". Only speaking from my experience, at the enterprise level, no one
wants to clean compromised computers. It's far too much work and it's not
my computer. We do our best to enforce wiping the systems. When we do
forensics, we do so to determine if any regulated data was on the system
and if it was, did it leave our network. If so, that's a reportable breach
and something no one wants to do. In those cases malware analysis and any
threat intelligence is extremely useful. Understanding how the system was
compromised, what the malware does, and the expected/trend behavior of the
actors helps understand what happened and (assuming it's true) assert that
regulated/controlled data was not breached.
There are likely better ways, but above is the best that some smart
coworkers and I can actually accomplish to keep our employer out of the
Post.
On Wed, Oct 15, 2014 at 11:59 AM, Dave Aitel <dave at immunityinc.com> wrote:
>
> http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
>
> In this article I go over "Threat Intelligence". And I'm a little hard
> on it because I think it has to make a choice, and soon. In one hand, is
> a pill that takes it down the road to AV-like financial success, but
> strategic failure. And in the other hand, the current models are only
> stepping stones towards offerings that provide true strategic
> situational awareness to their clients, so their clients can build
> customized incident response programs that really work.
>
> Honestly, I think because of the way VC-funded firms work, we may end up
> taking the blue pill, which is unfortunately for companies, but good for
> those of us doing offense.
>
> -dave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
--
Matthew Wollenweber
m <mjw at cyberwart.com>wollenweber at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141016/b8391dbc/attachment.html>
More information about the Dailydave
mailing list