Re: [Dailydave] Defeating what's next

[Moses]

Indicators of Compromise or more appropriately those that are Open Indicators of Compromise. We have had many proprietary solutions that used 'signature based' indicators for a quite a long time. Some of them you never could run in an open or customizable fashion like A/V. Can't have their secret sauce all over the preverbal industry. Others that you could run in an open fashion on an infrastructure, like Snort, were used because they are available. Give the unwashed masses something, right? This whole open IOC thing is an interesting uncovering of that kimono, and the emperor... still not naked. What really has happened is opportunity finally met demand in this particular area. We had a sector of the educated individuals that were tired of sheepily running proprietary black box software to attempt to find evidence of intrusions, improper system behavior, whatever. There were enough reversers now that had data which could be fed...no where. Really? To what a SIEM? A vulnerability scanner? Hey scan memory for this. Nope. The masses wanted to get debug level access to their OS so that they could mine the filesystem, memory spaces, and the network in a targeted manner. At scale. In the Amazon, or Joyen Cloud, or whatever. Sorry a little bit of hipster came out of that. It's almost as if the defense type individuals wanted to bring themselves to the mid 2000's without all the fancy automation and DevOps and stuff. Now, Is it fitting to use an XML object to hunt for things? Only as fitting as it would be to use a relational database to mine for relationships. But these of course are ships in the night. At the end of the day we only can arrive at a half circle. We feed these standalone silo'd tools, which run with 'open source databases' that no one updates or feeds, indications that something may be a miss in the hopes of finding something, anything. While we struggle and spend our time looking at artifacts on systems, we are silently and quietly are being pillaged. The raping happened earlier, see above. How do we arrive that something was a miss to begin with. Was it the unusual upload of data, 'exfil', which is just amateur hour? Even if we did arrive at the conclusion that something was wrong, by the time you noticed, it was far to late to stop them from stealing that uber-highly classified Microsoft Slideware. At a minimum I fancy these Open IOC's, you know because they are open and sharing is caring in this case. The challenge is no one really is sharing this intelligence in a free and open way. Its awesome that we have a nice Object Model and framework, but only those that can afford the database will gain the most from it at the moment. Most of those that have internal IOC's aren't probably allowed to share them anyway, because they can't. Maybe one day someone will build a WikiLeaks for IOC's so that those without the means can have a database to run on their internal system. Until then.... Here are my indicators of Compromise: Logical, those that are of OS and Network, the processes, threads, handles, dll's, open files, hashes, artifacts, and mutex's of tools and components that are unusual. On the network, statistics help, but things can lie. We know that all of this can be changed, modified and codified to be different, so we decide to score this information maybe lower or higher than other pieces of data. Physical, the news paper articles, SEC filings, and increased chatter amongst people. Those that need to be rationalized, normalized, and scored. I am sure that patterns exist between these worlds but no one has yet to create the right experiments to maybe find them. Social, the leaks, the talk, the data around who is who and what is what. This may just be a big data conversation, there is no object model for this one yet, not an open one. I do have one confession admit, however, somewhere in the haze between high school, fast cars, the 90's, flannel, and the ability to resist high school habits as an adult; I must have blinked. I am recovering now, but i'll never be cured, just one day at a time I supposed. @mosesrenegade Dave Aitel June 12, 2013 10:10 AM Hackers spend a lot of time looking at what's coming down the technology road at them. In a sense, this business is about learning how to stare down the barrel of a gun and not blinking for decades at a time. When you blink, you end up a CISSP. Richer financially, but poorer in 0days, the only currency that matters to someone with your particular addiction. Terminology can reveal a lot, as can business strategies. I spent some time on the phone yesterday with a high level executive in the incident response industry, and he poo-pooed Immunity's offensive skills, which made me focus on the industry for a while while watching Covert Affairs after the kids went to bed. First of all, here's what's next in the incident response world: "Indicators of Compromise". And when people say that, they right now mean MD5s, file names, registry addresses, dns addresses, what addresses a trojan hooks, and that sort of thing. All of these things can be changed AT RUN TIME, by your better trojans. In other words, we have an industry focused highly on "indicators of compromise", whereas modern high-level attackers have leapfrogged the entire concept. The only true indicator of compromise is "computer is doing something I probably didn't want it to do", and that's not something you can codify in XML. Something to think about. :> -dave _______________________________________________ Dailydave mailing list Dailydave@lists.immunityinc.com https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave