Dailydave mailing list archives
Re: Defeating what's next
From: toby <toby00 () gmail com>
Date: Fri, 14 Jun 2013 16:14:43 -0700
Actually, I don't know what other people on the defense side think of when someone says "Indicators of Compromise" but I don't think about hashes or file names or registry keys at all. I think about anomalous login times, unusual traffic destinations/sources/volumes, unusual file accesses (to file servers, not file access time on a potentially compromised client), patterns of exploration or spreading changes in behavior that might indicate a system is under control by some other source. I'm not looking for the indications that a system has been owned, I'm looking for indications that an attacker has compromised the environment and is now pursuing their goals. And I'm doing it with data that isn't stored locally on the compromised system because as Dave noted, that can all be changed in real time by any sort of serious attacker. The things Dave described aren't "indicators of compromise", they are forensically relevant fragments that might be left on some systems as a result of being compromised that might be used to help fill out the details of how a compromise occurred _after_ it has been detected through some other means. Toby On Wed, Jun 12, 2013 at 7:10 AM, Dave Aitel <dave () immunityinc com> wrote:
Hackers spend a lot of time looking at what's coming down the technology road at them. In a sense, this business is about learning how to stare down the barrel of a gun and not blinking for decades at a time. When you blink, you end up a CISSP. Richer financially, but poorer in 0days, the only currency that matters to someone with your particular addiction. Terminology can reveal a lot, as can business strategies. I spent some time on the phone yesterday with a high level executive in the incident response industry, and he poo-pooed Immunity's offensive skills, which made me focus on the industry for a while while watching Covert Affairs after the kids went to bed. First of all, here's what's next in the incident response world: "Indicators of Compromise". And when people say that, they right now mean MD5s, file names, registry addresses, dns addresses, what addresses a trojan hooks, and that sort of thing. All of these things can be changed AT RUN TIME, by your better trojans. In other words, we have an industry focused highly on "indicators of compromise", whereas modern high-level attackers have leapfrogged the entire concept. The only true indicator of compromise is "computer is doing something I probably didn't want it to do", and that's not something you can codify in XML. Something to think about. :> -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Defeating what's next, (continued)
- Re: Defeating what's next John Strand (Jun 12)
- Re: Defeating what's next Justin Seitz (Jun 12)
- Re: Defeating what's next Arrigo Triulzi (Jun 12)
- Re: Defeating what's next Nick Selby (Jun 12)
- Re: Defeating what's next security curmudgeon (Jun 12)
- Re: Defeating what's next Brad Andrews (Jun 12)
- Re: Defeating what's next Kristian Erik Hermansen (Jun 12)
- Re: Defeating what's next Justin Seitz (Jun 12)
- Re: Defeating what's next Vitaly Osipov (Jun 13)
- Re: Defeating what's next Moses (Jun 14)
- Re: Defeating what's next Val Smith (Jun 17)
- Re: Defeating what's next toby (Jun 17)
- Re: Defeating what's next Halvar Flake (Jun 12)
- Re: Defeating what's next Ben Miller (Jun 13)
- Re: Defeating what's next John Strand (Jun 12)