<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>So are you aware of a criminal actor that uses Immunity's Innuendo in their attacks? If not, then which adversary are you simulating?</div><div><br></div><div>The point to my obvious straw man is that if you really want to help your clients up their game in detecting and responding to real threats, shouldn't you study the actors that target their industry verticals and emulate their operations using the same tools and tactics they are known to choose? </div><div><br></div><div><br></div><div><br>On Nov 29, 2016, at 9:26 AM, dave aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p>So obviously everything a penetration testing company does is at
some level "Adversary Simulation". I like to call it "Focused
Training" - because penetration testing is more about education
than anything else, but the WAY you do to that is by emulating and
instrumenting some sort of adversarial process.</p>
<p>Ok, that said, we have for the past year offered a special
service called <i><a href="https://www.immunityinc.com/services/adversary-simulation.html">Adversary
Simulation</a></i> by which we meant something quite specific.
We go to some big financial company, usually super under-dressed
for the cold because we live in Miami, and we install INNUENDO on
a couple machines. Then we exfiltrate a few terabytes of data over
whatever protocols are working and we work with the company to do
a hardcore analysis of their detection systems for that sort of
thing.</p>
<p>That sounds simple. But in practice, every company at that size
range has multiple products trying to detect you, and they provide
overlapping coverage. Sometimes the Alerts are useful, and
sometimes not. For example, when you're doing DNS exfiltration,
FireEye will alert on the weirdness of the DNS packets. But it has
no idea who the infected endpoint is, because those DNS packets
came from intermediary DNS servers! :)</p>
<p>With web-based analysis systems I worry more about false
positives, and of course, false negatives. Detecting beacons from
malware but not from, say, DropBox is a hard problem. In theory,
products like StealthWatch work, but in practice, that depends on
the team.<br>
</p>
<p>Likewise, there are gaps in the market itself: Who is looking at
all outbound e-mail to find data exfiltration channels? And on the
host, when faced with a new product, all the protection systems
we've seen have not detected INNUENDO. Some of them detect
injection, but you don't really need to do that. What if there is
too much chaos on a big company's desktop for reputation-based
protection systems to work? <br>
</p>
<p>-dave</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Dailydave mailing list</span><br><span><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a></span><br><span><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a></span><br></div></blockquote></body></html>