El Jefe secondary thoughts

[Dave Aitel <dave () immunityinc com>]

Nico disagrees with me and thinks the best feature in the new El Jefe is
the ability to create a farm of VM's which you can then apply against
malware for analysis. So for example, you might have a "developer" VM
and an "executive" VM, and they might be different operating systems,
configurations, and all sorts of other setups. Perhaps one of them has a
more modern AV or HIPS on it even. Then you can quickly and easily
select a piece of suspected malware to run on one of them that you think
is most appropriate and then just as easily get your report.

Honestly, I think as an attacker sometimes the best malware is NO
MALWARE AT ALL. A lot of what I'm looking for in El Jefe is people
running psexec, or cmd.exe at weird times. There's a concept missing
from OpenIOC that is more related to the process of intrusion as opposed
to "which malware was run". It's something quite hard to model and test
- we use CANVAS and INNUENDO and a few other tools for this obviously to
generate database sections that correspond to actual attacks
(client-sides, for example). A lot of this is purely "in memory" and has
a very short time-span, but is still detectable, even automatically,
with tools like El Jefe.

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave