Dailydave mailing list archives
Re: APT
From: "J. Oquendo" <joquendo () e-fensive net>
Date: Tue, 11 Mar 2014 11:09:21 -0500
On Tue, 11 Mar 2014, Dave Aitel wrote:
So the thing about being advanced enough is that you don't really have to be persistent in any normal sense of the word. Nobody has pointed out how the first stage of the NSA shellcode (as leaked by "backgrounded by the Constitution and definitely not at all a narcissist" Snowden) just avoids executing anything on systems protected by HIPS. Imagine if you were so good at your job you could ignore targets you already had execution on if you felt even a /little bit/ queasy about their defense. Look, Richard Beitlitch thinks I don't know anything about "Strategy"
"I never read any treatises on strategy... When we fight, we do not take any books with us." Mao Tse-Tung Working in an MSP/MSSP I *have* deployed defenses, working in the malware analysis arena, I *know* about encryption tactics used by bad actors, performing network analysis functions for over 14 years (http://seclists.org/incidents/2000/Aug/278) I think I can qualify myself to chip in my .02. I will counter-argue some of Mr. Bejtlich's points. 1) Providing visibility. This all depends on the environment sometimes an architect CANNOT decrypt traffic without red tape (regulatory controls, HIPAA, Sox, whatever). While we'd LIKE to decrypt, we also have to put privacy at the forefront as well depending on where the guidance is coming from especially when CPOs (Chief Privacy Officers) gripe and moan about privacy. While on the network and security scope, we'd ALWAYS love to see what is occurring, the reality is, every network differs PERIOD. 2) "technology to defeat/decrypt obfuscation" is a moot point. If things were so grand, we wouldn't have instances of "advanced persistent" anything on a network for days, weeks - wait oh look here... YEARS - on end. All we have is what is visible. There are NOT enough resources in ANY company to weed out the anomalies, "sic" a malware analyst, create IOCs in real time. Not even close to "near real time" so we oft rely on the security vendors and researchers to tell us: "something is off with these connections, these applications, etc." But against REALLY good threats? This is not happening. You *WON'T* see them in your honeypots, NSMs, IDS', IPS', ITS' (because who doesn't love Intrusion TOLERANCE Systems). Obfuscation via way of "hiding in plain sight" works a long way on the offensive side, which is how, and why, groups like the "Comment Crew" likely pervaded in orgs for so long. 3) Archiving, and analyzing network traffic is looking for a needle in a haystack. You're playing the signature game again. You're either ignoring the known knowns, weeding out anomalies. You can do it modularly (deploy NSM to say a segment, to make it easier), but its unfeasible to pretend for a minute that you'd be able to pick a needle out of a haystack and isolate someone INTENT and ADVANCED. So you go out on an NSM spree, deploy hundreds, heck even thousands of instances. Isolate the knowns, ignore them, and look for the discrepancies. Guess what? What are you going to do in say the case of Target where you MAY have ignored a "known" (third party vendor). What are you going to do in the following scenario: Company --> data --> internet --> EBay In this scenario, from your company, someone is visiting the LEGITIMATE EBay site. However, an attacker decided to shove in spliced bits of data with those connections, because somewhere along the lines, he/she is sniffing the connection, to compile spliced data. Think your NSM skills are going to be able to piece that together? I can assure you it won't. Program Goals and "Strategies" from my perspective can be combined since they rampantly change no matter HOW you want to cut it. CISOs depend too much on book level nonsense and often ignore those in the trenches. Those who see the attacks, those who PERFORM the attacks. This is the reason why so many companies get themselves "owned." You can strategize all you want, and I go back to: "Strategies too often fail because more is expected of them than they can deliver" http://www.economist.com/news/books-and-arts/21588834-strategies-too-often-fail-because-more-expected-them-they-can-deliver-why Maybe I missed something on the "Drinking the Cool Aid" thread, with "strategies" or even tools and tactics. I read it to be some form of a starting point for counter and defense. On Bejtlich's writings, it goes off into a "this is what worked for me... How I strategized" which *may* have worked for him, but should not be an umbrella for defensive anything. I'd run circles around the entire concept of what he perceives as defense. IN PLAIN sight. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave