<div dir="ltr">Foremost, I love your observation that: "[threat intel products] offers malware analysis, even though the massively expensive undertaking helps nobody but the threat intelligence company, as it resells that information to other customers. I find that who system/approach to be unethical and my best to keep my employer out of those systems. However, threat intel can be useful to enterprises in a variety of mechanisms. First, it provides specific indicators that can be blocked or thwarted. For any specific enterprise, that's one less thing. One can argue there's always another vector, which is true but that's an implicit argument with any open ended problem. However,it leads to a second observation that if trusted communities can share threat intel (or even if untrusted communities can share fast enough) it significantly drives up cost for the attacker. Again the attacker can change, but it gets expensive/troublesome to do so rapidly. If you talk to many threat intel guys they dig into the known actors because they reuse so many resources, techniques, code etc. Causing them to change more rapidly might make efforts unprofitable (when profit is the goal) or too expensive. Because I see this utility, my struggle is how to obtain and share the labor intensive work given that companies want to make money and without the shady business of semi-sharing and reselling. <div><br></div><div>I'm unsure about your assertion "Instead, they've been taught to look at a compromised computer to see what processes they can remove to make it clean again". Only speaking from my experience, at the enterprise level, no one wants to clean compromised computers. It's far too much work and it's not my computer. We do our best to enforce wiping the systems. When we do forensics, we do so to determine if any regulated data was on the system and if it was, did it leave our network. If so, that's a reportable breach and something no one wants to do. In those cases malware analysis and any threat intelligence is extremely useful. Understanding how the system was compromised, what the malware does, and the expected/trend behavior of the actors helps understand what happened and (assuming it's true) assert that regulated/controlled data was not breached. </div><div><br></div><div>There are likely better ways, but above is the best that some smart coworkers and I can actually accomplish to keep our employer out of the Post.</div><div><br></div><div><br><div><br></div><div><br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 15, 2014 at 11:59 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href="http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13" target="_blank">http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13</a><br>
<br>
In this article I go over "Threat Intelligence". And I'm a little hard<br>
on it because I think it has to make a choice, and soon. In one hand, is<br>
a pill that takes it down the road to AV-like financial success, but<br>
strategic failure. And in the other hand, the current models are only<br>
stepping stones towards offerings that provide true strategic<br>
situational awareness to their clients, so their clients can build<br>
customized incident response programs that really work.<br>
<br>
Honestly, I think because of the way VC-funded firms work, we may end up<br>
taking the blue pill, which is unfortunately for companies, but good for<br>
those of us doing offense.<br>
<span class="HOEnZb"><font color="#888888"><br>
-dave<br>
<br>
<br>
</font></span><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthew Wollenweber<br><a href="mailto:mjw@cyberwart.com" target="_blank">m</a><a href="mailto:wollenweber@gmail.com" target="_blank">wollenweber@gmail.com</a><br><br>
</div></div>