Re: "Defending Forward" in time

[John Lampe <jlampe () tenable com>]

imo, it's a general mentality that attackers have. I blogged about this 14
years ago and it seems still applicable today (
https://blogs.securiteam.com/index.php/archives/170 )

Indecision can stem from too little information or too much information.
The defender *should* have the ability to influence both of those...

John

On Fri, Jan 24, 2020 at 10:28 AM Dave Aitel <dave.aitel () gmail com> wrote:

> So I went to S4 this week, which is a good conference here in Miami Beach,
> mostly about hacking/protecting utilities and other critical infrastructure
> components. But I had the good fortune to run into a friend
> <https://www.gocomics.com/calvinandhobbes/2018/01/16> I'd never met
> before. Anyways, they were telling me about how some Android State
> surveillance spyware installed at the border on everyone's phone looked for
> some file hashes and then sent in some data via what was essentially a
> public web API.
>
> There's a lot of stuff that works like this, EDR systems, SIEMs of various
> types, etc. And one of the classic attack patterns is that usually these
> systems don't have client-certificates signing the data the client sends.
> So you can send fake data as a large number of real and not-real hosts. . .
> corrupting the database or simply filling it up and making it a lot less
> useful because every query takes about ten minutes, especially if you
> know how the indexer
> <http://www.phpinternalsbook.com/php5/hashtables/hash_algorithm.html>
> works.
>
> In other words, for some reason, one malicious host is weirdly not usually
> a threat model that most defensive systems have considered.
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave