<div dir="ltr">There is a way through the sticky issues you bring up. El Jefe is a right approach, but only part of it. There are certain inalienable observables, such as processes and their attributes, that an attacker can influence but not completely avoid. If you pick correlating observables from different observation points that don't have correlated failure from an attack, then you are selecting good data sources for your analytics. Having talked to a number of smart companies, I can say that most people have barked up the wrong tree with regard to applying statistical techniques and other algorithmic approaches, even when they are collecting good data. Simply, they are approaching the problem like it is fraud rather than intrusion. They are not the same at all. However, with good data even simple relational analysis tends to find lots of bad intrusion activity.<div>
<br></div><div>Another thing to note is that detecting exploitation is somewhat different than detecting persistence. Again, I see confusion around this aspect of the problem a lot.<br><div><br></div><div>Very few people have really thought about what it would take to implement real-time response in a meaningful way. You are right Dave, just killing the process or quarantining a host without being able to reason about the impact to the kill-chain and business is just firing blindly. You want the response to actually hinder the attacker (remediate active risk) and minimize business impact. Without understanding the context, trying to do it automatically is stupid. Let a person reason about it first, unless you actually have a solution to the context analysis problem. I do believe there are solutions, but I have yet to see any academic or practical work really focused on the subject.</div>
</div><div><br></div><div>Dom</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 16, 2014 at 10:11 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Links you should hit first:<br>
<a href="http://immunityproducts.blogspot.com/2014/04/revamping-el-jefe.html" target="_blank">http://immunityproducts.blogspot.com/2014/04/revamping-el-jefe.html</a><br>
<a href="http://www.rsaconference.com/videos/122/stop-looking-for-the-silver-bullet-start-thinking" target="_blank">http://www.rsaconference.com/videos/122/stop-looking-for-the-silver-bullet-start-thinking</a><br>
<br>
One thing I noticed from watching all of the RSA keynotes is that they<br>
all said the exact same things, often in the same words. For example, in<br>
the HP keynote (above) you'll see the threads of "We're getting<br>
outmatched" with we need to move to "real-time + big data<br>
understanding". This is the exact same speech that Philippe Courtot<br>
gave, that Stephen Trilling gave, that Kevin Mandia gave, that the Cisco<br>
team gave. They were all the same. Which is interesting in and of<br>
itself. All the big companies are moving in the same direction, or at<br>
least want to.<br>
<br>
But here is where they will potentially fail, in my opinion. First of<br>
all, real time response is incredibly hard, since nobody is sure what<br>
response means beyond "kill that process". If you take a machine<br>
offline, you might interrupt a critical business function in a way that<br>
is not predictable. Likewise, the big data you rely on is going to be<br>
fed to you by your attackers once they penetrate a box.<br>
<br>
And deep down, without an offensive team, you don't know what you're<br>
really looking for in the first place. For example, attackers are<br>
quickly going to move to "C2C-less trojans" and "faster real time<br>
attack". There's a great talk at INFILTRATE this year on how trojans are<br>
going to use DRM techniques to frustrate automated analysis (INNUENDO is<br>
the only commercial penetration testing tool I know that does this at<br>
the moment, but soon it will be everywhere).<br>
<br>
Immunity's efforts in the automated malicious activity detection area<br>
can be seen in the El Jefe blog post above - El Jefe is free, but more<br>
importantly you can start to see the benefits of using process-chain<br>
analysis as we develop the product. The next release will tie in some<br>
statistical analysis to provide adaptive anomaly detection (malicious<br>
activity does not always mean malware - it can also mean someone just<br>
sitting at your desk typing weird commands!). The Cuckoo integration in<br>
the current release is pretty smooth as well, and we're hoping to have<br>
this available to the public sometime next week!<br>
<br>
Thanks,<br>
Dave Aitel<br>
Immunity, Inc.<br>
<br>
<br>
<br>
<br>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>