Dailydave mailing list archives
Re: Blinken Lights IDS
From: Andre Gironda <andreg () gmail com>
Date: Thu, 16 Mar 2017 11:14:32 -0700
On Thu, Mar 16, 2017 at 8:43 AM, dave aitel <dave () immunityinc com> wrote:
Everyone I know lived through the "Blinken-Lights-IDS" phase.
So your entire defense was situated on "Are the
lights blinking when I'm not typing on my computer?" Ask yourself: How far from that have we come, really?
We can still use blinkenlights -- https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/
Honestly, the line that strikes fear into the hearts and minds of all SOC engineers is "How do you measure your success?". I'm on the Security Metrics mailing list, which has been around basically forever, and what they will point out is that good metrics need good data, and we have about zero of that in almost all aspects of this game.
Maybe we know how to measure success -- https://www.blackhat.com/docs/eu-16/materials/eu-16-Hovor-Automating-Incident-Investigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf
While attackers have real numbers, the defensive process is literally evolutionary: We try EVERYTHING and just see which companies fail due to data breaches and while we don't really learn any lessons directly, maybe the next generation of companies will be, in some way, similar to whatever mutation helped.
Maybe we know how to evolve the defensive process -- http://conf.splunk.com/files/2016/slides/detecting-the-adversary-post-compromise-with-threat-models-and-behavioral-analytics.pdf dre
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Blinken Lights IDS dave aitel (Mar 16)
- Re: Blinken Lights IDS Andre Gironda (Mar 17)