<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body text="#000000" bgcolor="#FFFFFF">Indicators of Compromise
or more appropriately those that are Open Indicators of Compromise. We
have had many proprietary solutions that used 'signature based'
indicators for a quite a long time. Some of them you never could run in
an open or customizable fashion like A/V. Can't have their secret sauce
all over the preverbal industry. Others that you could run in an open
fashion on an infrastructure, like Snort, were used because they are
available. Give the unwashed masses something, right?<br>
<br>
This whole open IOC thing is an interesting uncovering of that kimono,
and the emperor... still not naked. What really has happened is
opportunity finally met demand in this particular area. We had a sector
of the educated individuals that were tired of sheepily running
proprietary black box software to attempt to find evidence of
intrusions, improper system behavior, whatever. There were enough
reversers now that had data which could be fed...no where. Really? To
what a SIEM? A vulnerability scanner? Hey scan memory for this. Nope.
The masses wanted to get debug level access to their OS so that they
could mine the filesystem, memory spaces, and the network in a targeted
manner. At scale. In the Amazon, or Joyen Cloud, or whatever. Sorry a
little bit of hipster came out of that.<br>
<br>
It's almost as if the defense type individuals wanted to bring
themselves to the mid 2000's without all the fancy automation and DevOps
and stuff.<br>
<br>
Now, Is it fitting to use an XML object to hunt for things? Only as
fitting as it would be to use a relational database to mine for
relationships. But these of course are ships in the night. At the end of
the day we only can arrive at a half circle. We feed these standalone
silo'd tools, which run with 'open source databases' that no one updates
or feeds, indications that something may be a miss in the hopes of
finding something, anything. While we struggle and spend our time
looking at artifacts on systems, we are silently and quietly are being
pillaged. The raping happened earlier, see above. How do we arrive that
something was a miss to begin with. Was it the unusual upload of data,
'exfil', which is just amateur hour? Even if we did arrive at the
conclusion that something was wrong, by the time you noticed, it was far
to late to stop them from stealing that uber-highly classified
Microsoft Slideware. <br>
<br>
At a minimum I fancy these Open IOC's, you know because they are open
and sharing is caring in this case. The challenge is no one really is
sharing this intelligence in a free and open way. Its awesome that we
have a nice Object Model and framework, but only those that can afford
the database will gain the most from it at the moment. Most of those
that have internal IOC's aren't probably allowed to share them anyway,
because they can't. Maybe one day someone will build a WikiLeaks for
IOC's so that those without the means can have a database to run on
their internal system. Until then....<br>
<br>
Here are my indicators of Compromise:<br>
<br>
Logical, those that are of OS and Network, the processes, threads,
handles, dll's, open files, hashes, artifacts, and mutex's of tools and
components that are unusual. On the network, statistics help, but things
can lie. We know that all of this can be changed, modified and codified
to be different, so we decide to score this information maybe lower or
higher than other pieces of data. Physical, the news paper articles, SEC
filings, and increased chatter amongst people. Those that need to be
rationalized, normalized, and scored. I am sure that patterns exist
between these worlds but no one has yet to create the right experiments
to maybe find them. Social, the leaks, the talk, the data around who is
who and what is what. This may just be a big data conversation, there is
no object model for this one yet, not an open one.<br>
<br>
I do have one confession admit, however, somewhere in the haze between
high school, fast cars, the 90's, flannel, and the ability to resist
high school habits as an adult; I must have blinked. I am recovering
now, but i'll never be cured, just one day at a time I supposed.<br>
<br>
@mosesrenegade<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:51B8813D.5040705@immunityinc.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dave@immunityinc.com" photoname="Dave Aitel"
src="cid:part1.00030905.00060908@moses.io"
name="compose-unknown-contact.jpg" width="25px" height="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:dave@immunityinc.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Dave Aitel</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">June 12, 2013
10:10 AM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hackers spend a lot of
time looking at what's coming down the technology<br>road at them. In a
sense, this business is about learning how to stare<br>down the barrel
of a gun and not blinking for decades at a time. When<br>you blink, you
end up a CISSP. Richer financially, but poorer in 0days,<br>the only
currency that matters to someone with your particular addiction.<br><br>Terminology
can reveal a lot, as can business strategies. I spent some<br>time on
the phone yesterday with a high level executive in the incident<br>response
industry, and he poo-pooed Immunity's offensive skills, which<br>made
me focus on the industry for a while while watching Covert Affairs<br>after
the kids went to bed.<br><br>First of all, here's what's next in the
incident response world:<br>"Indicators of Compromise". And when people
say that, they right now<br>mean MD5s, file names, registry addresses,
dns addresses, what addresses<br>a trojan hooks, and that sort of thing.
All of these things can be<br>changed AT RUN TIME, by your better
trojans.<br><br>In other words, we have an industry focused highly on
"indicators of<br>compromise", whereas modern high-level attackers have
leapfrogged the<br>entire concept. The only true indicator of
compromise is "computer is<br>doing something I probably didn't want it
to do", and that's not<br>something you can codify in XML.<br><br>Something
to think about. :><br><br>-dave<br><br><br></div><div>_______________________________________________<br>Dailydave
mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br><a class="moz-txt-link-freetext" href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br></div></div>
</blockquote>
</body></html>