Dailydave mailing list archives
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: Moses Hernandez <moses () moses io>
Date: Sun, 23 Mar 2014 11:24:03 -0400
Dave, Quick Q: You referring to this particular statement (I paused it): Highlights - Technical - In over 97% of the 2,672 separate APT1 intrusions Mandiant observed (into 141 companies), APT1 used IP addresses registered in Shanghai. So that statement tells me that those are just the APT1 intrusions not all of the Mandiant referenced intrusions. APT1 itself is said to use IP addresses registered in Shanghai. Is that by itself clever misdirection? Maybe. Are there other ‘APT’ style groups that go undetected from various nations? I remember a talk (maybe from Nico Waisman) about badly written exploits leading to discovery of intrusions. If that theory is to be held true, then does that account for exploit quality in looking at developed vs emerging markets? As for NextGen firewalls themselves, full disclosure I work for Cisco who makes NGFW products, and I find that many of my customers are implementing them because they have none the political willpower or the technical ability to implement sufficient egress filtering. You could get 90% of the functionality with a Web Proxy that has applicationID built in. Although you can add a bit more context to IPS with Open AppID which is what Sourcefire and is now open sourced here: http://blog.snort.org/2014/03/firing-up-openappid.html . But your right, AppID or not people and organizations will be the ones that ultimately drive a ‘better’ answer to the issue. This year I’ll be giving more ‘community’ focused talks on Security and this conceptual ideal of 'DevOps'. In those talks, I hope to espouse some better thought practices, attack and defend wise (AttackOps and DefendOps?), maybe the attackers and the defenders don’t have asymmetric warfare, but the way we culturally have built our companies infrastructures from a people point of view has done that. As for ‘is monitoring expensive’. I think today telemetry in most networks doesn’t exist, and the tools that do exist are markedly expensive. Over time those trends will more downward. I look at Flume + Hadoop (or any distributed key/value database like Riak …), Logly, and other ‘data’ tools that the startup community has started to bring forward to get a better grasp over web application analytics we should look and embrace those. Maybe its just like I put in a slide: Go to school - pick up some new skillZ. Till then -M @mosesrenegade On Mar 21, 2014, at 5:13 PM, Dave Aitel <dave () immunityinc com> wrote:
http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report If 97% of the breaches you find are directly attributable to Chinese hackers (aka, due to keyboard language settings, C2 IP, etc.) then how much are you missing?! Boggles the mind. You're telling me you don't see Russians, French, Americans, Israelis, etc. anywhere in the world? Something seems wrong with that number. A lot of what people do is look for "Indications of Compromise" that are essentially C2 domains. But realistically you don't need a lot of C2 for an implant. And a nation-state that can "Be any IP in the world", or in fact has any decent SIGINT, can easily find ways to not need domains, to be any domain, or to be every domain. This includes China, for what it's worth. I see a lot of ads (f.e. from Sourcefire) for Next Gen firewalls. But current gen implants are already able to take on next gen firewalls just fine. Talk also includes silliness such as the "asymmetric" argument ("Attackers only need to get in once, defenders have to defend everything...") and some sort of weird idea that offensive tools are less well QA'd than defensive tools. (Which is absolutely not true). Look, deep down, monitoring is expensive. And if you're trying to scale it up on the cheap, you end up inventing the anti-virus, which we already know is not a bad idea. This is the problem people are trying to solve, and it's still pretty unsolved, imho. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Late Friday thoughts on the Kevin Mandia RSAC keynote. Dave Aitel (Mar 21)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. security curmudgeon (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Alfonso De Gregorio (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Dan Guido (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Haroon Meer (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. xgermx (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Moses Hernandez (Mar 24)