<div dir="ltr">I explicitly challenged this notion ("the defender's dilemma") in research I presented a few years back (<a href="http://www.trailofbits.com/research/#eip">http://www.trailofbits.com/research/#eip</a>). Attackers have limited resources and can't afford to invest equally in every potential opportunity for exploitation, persistence, C2, etc. You start to make tradeoffs about which ones work in the most situations or satisfy other requirements you have. It's as applicable to "APT" as it is to mass malware.<div>
<br></div><div>It's exactly this line of thinking that led us to build Javelin (<a href="http://javelinsecurity.com">javelinsecurity.com</a>), which helps you measure and understand the efficacy of common attacker strategies against your network. Our goal is to force an attacker's dilemma, make *them* make the difficult decisions and the expensive investments in new tools, training and systems.</div>
<div><br></div><div>Several other papers on the same topic from MSR/WEIS:</div><div><a href="http://weis2010.econinfosec.org/papers/session5/weis2010_herley.pdf">http://weis2010.econinfosec.org/papers/session5/weis2010_herley.pdf</a><br>
</div><div><a href="http://weis2011.econinfosec.org//papers/Where%20Do%20All%20the%20Attacks%20Go.pdf">http://weis2011.econinfosec.org//papers/Where%20Do%20All%20the%20Attacks%20Go.pdf</a><br></div><div><br></div><div><br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 3, 2014 at 12:03 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">One rather facetious saying that has annoyed everyone for a while is the<br>
whole "defenders have to protect everything, attackers just have to get<br>
in once" meme. If you talk to defenders who are "leading" with new<br>
technologies and techniques, the difference really does blur quite a<br>
bit. I was happily surprised at the Tenable offsite to hear their big<br>
customers describe their continuous monitoring and SIEM analytics<br>
techniques as their network "Command and Control". It's a useful change<br>
to a more sophisticated mindset. You don't hear people really<br>
acknowledging an advanced persistent defense that often. :><br>
<br>
Of course, building proper C2C while under attack is itself very hard.<br>
People very quickly fall into the "Big Data" trap - we try to caution<br>
Justin from collecting more than he has to with El Jefe. We don't want<br>
"Big Data" analysis. We want "Just enough data" analysis!<br>
<span class="HOEnZb"><font color="#888888"><br>
-dave<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</font></span><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>