Hey all,
with all the IOC-bashing, I think I need to supply some compelling
arguments in favour of them:
- We know how to look for them. If I lose my wallet in some dark alley
where I am near-blind, it is clearly more reasonable to go to a
different street with better streetlights to look for it. Everything
else would require me getting better technology, and nobody has time for
that.
- They make for a great business model. Empires were build on AV
signatures, but it was considered bad form to charge more for signatures
of particularly nasty malware. Re-branded as IOCs, I can finance
decent-sized teams to analyze malware, and then sell individual IOCs for
good money. IOCs are not -yet- better than AV signatures (if measured by
aggregate stock value of companies involved), but that might change with
a few IPOs.
- They are community-bond-forming. A good IOC for an important group of
attackers can be shared between a trusted group of people, so if I get
owned and notice it, I at least have the consolation that I can build a
cool IOC from it, and feel important in my peer group. I can trade,
barter, and generally form a much more tightly-knit community. It's
literally the success of "Magic - The Gathering" brought back to the IT
security world.
- They're good for people's confidence. Holding a secret IOC is the
defensive version of holding a non-public exploit. You can feel
powerful, and for your particular adversary, it may or may not work, or
it may be patched any day. Perhaps it's methadone - not quite the real
thing, but keeps the really heavy craving away.
On a more serious note: Dave, no offense, but you sound like me during
every stock bubble. "But ... but .... this is a bubble, it will burst !"
- that is true, but in the meantime, fortunes are made, and the person
with a macro view stays poor. :-P
Cheers,
Halvar
PS: I actually think that IOCs can be quite useful - if they are built
to generalize well and if you manage to keep them away from the
attackers. That, though, can be the hard part.
PPS: Perhaps a discussion about "technology X being bad" is like
Chessplayers debating why pawns suck. In the end, everybody would like
to have 8 queens, but you'll have to play with what you have.
with all the IOC-bashing, I think I need to supply some compelling
arguments in favour of them:
- We know how to look for them. If I lose my wallet in some dark alley
where I am near-blind, it is clearly more reasonable to go to a
different street with better streetlights to look for it. Everything
else would require me getting better technology, and nobody has time for
that.
- They make for a great business model. Empires were build on AV
signatures, but it was considered bad form to charge more for signatures
of particularly nasty malware. Re-branded as IOCs, I can finance
decent-sized teams to analyze malware, and then sell individual IOCs for
good money. IOCs are not -yet- better than AV signatures (if measured by
aggregate stock value of companies involved), but that might change with
a few IPOs.
- They are community-bond-forming. A good IOC for an important group of
attackers can be shared between a trusted group of people, so if I get
owned and notice it, I at least have the consolation that I can build a
cool IOC from it, and feel important in my peer group. I can trade,
barter, and generally form a much more tightly-knit community. It's
literally the success of "Magic - The Gathering" brought back to the IT
security world.
- They're good for people's confidence. Holding a secret IOC is the
defensive version of holding a non-public exploit. You can feel
powerful, and for your particular adversary, it may or may not work, or
it may be patched any day. Perhaps it's methadone - not quite the real
thing, but keeps the really heavy craving away.
On a more serious note: Dave, no offense, but you sound like me during
every stock bubble. "But ... but .... this is a bubble, it will burst !"
- that is true, but in the meantime, fortunes are made, and the person
with a macro view stays poor. :-P
Cheers,
Halvar
PS: I actually think that IOCs can be quite useful - if they are built
to generalize well and if you manage to keep them away from the
attackers. That, though, can be the hard part.
PPS: Perhaps a discussion about "technology X being bad" is like
Chessplayers debating why pawns suck. In the end, everybody would like
to have 8 queens, but you'll have to play with what you have.
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
