Why does it seem we are moving from blacklists to "new and improved" blacklists?<div><br></div><div>It seems like the industry is caught between choosing between things that dont work (i.e. blacklists, "better" firewalls) and things which are hard to implement (i.e. whitelists, better internal network segmentation, baseline monitoring, etc.) </div>
<div><br></div><div>I think Paul said, "Every time you hit the easy button, God deploys another trojan on your network."</div><div><br></div><div> </div><div><br><div class="gmail_quote">On Wed, Jun 12, 2013 at 8:10 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hackers spend a lot of time looking at what's coming down the technology<br>
road at them. In a sense, this business is about learning how to stare<br>
down the barrel of a gun and not blinking for decades at a time. When<br>
you blink, you end up a CISSP. Richer financially, but poorer in 0days,<br>
the only currency that matters to someone with your particular addiction.<br>
<br>
Terminology can reveal a lot, as can business strategies. I spent some<br>
time on the phone yesterday with a high level executive in the incident<br>
response industry, and he poo-pooed Immunity's offensive skills, which<br>
made me focus on the industry for a while while watching Covert Affairs<br>
after the kids went to bed.<br>
<br>
First of all, here's what's next in the incident response world:<br>
"Indicators of Compromise". And when people say that, they right now<br>
mean MD5s, file names, registry addresses, dns addresses, what addresses<br>
a trojan hooks, and that sort of thing. All of these things can be<br>
changed AT RUN TIME, by your better trojans.<br>
<br>
In other words, we have an industry focused highly on "indicators of<br>
compromise", whereas modern high-level attackers have leapfrogged the<br>
entire concept. The only true indicator of compromise is "computer is<br>
doing something I probably didn't want it to do", and that's not<br>
something you can codify in XML.<br>
<br>
Something to think about. :><br>
<span class="HOEnZb"><font color="#888888"><br>
-dave<br>
<br>
<br>
</font></span><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>