Re: A summary of all the RSA Keynotes and the future we have to beat.

[Dominique Brezinski <dominique.brezinski () gmail com>]

There is a way through the sticky issues you bring up. El Jefe is a right
approach, but only part of it. There are certain inalienable observables,
such as processes and their attributes, that an attacker can influence but
not completely avoid. If you pick correlating observables from different
observation points that don't have correlated failure from an attack, then
you are selecting good data sources for your analytics. Having talked to a
number of smart companies, I can say that most people have barked up the
wrong tree with regard to applying statistical techniques and other
algorithmic approaches, even when they are collecting good data. Simply,
they are approaching the problem like it is fraud rather than intrusion.
They are not the same at all. However, with good data even simple
relational analysis tends to find lots of bad intrusion activity.

Another thing to note is that detecting exploitation is somewhat different
than detecting persistence. Again, I see confusion around this aspect of
the problem a lot.

Very few people have really thought about what it would take to implement
real-time response in a meaningful way. You are right Dave, just killing
the process or quarantining a host without being able to reason about the
impact to the kill-chain and business is just firing blindly. You want the
response to actually hinder the attacker (remediate active risk) and
minimize business impact. Without understanding the context, trying to do
it automatically is stupid. Let a person reason about it first, unless you
actually have a solution to the context analysis problem. I do believe
there are solutions, but I have yet to see any academic or practical work
really focused on the subject.

Dom


On Wed, Apr 16, 2014 at 10:11 AM, Dave Aitel <dave () immunityinc com> wrote:

> Links you should hit first:
> http://immunityproducts.blogspot.com/2014/04/revamping-el-jefe.html
>
> http://www.rsaconference.com/videos/122/stop-looking-for-the-silver-bullet-start-thinking
>
> One thing I noticed from watching all of the RSA keynotes is that they
> all said the exact same things, often in the same words. For example, in
> the HP keynote (above) you'll see the threads of "We're getting
> outmatched" with we need to move to "real-time + big data
> understanding". This is the exact same speech that Philippe Courtot
> gave, that Stephen Trilling gave, that Kevin Mandia gave, that the Cisco
> team gave. They were all the same. Which is interesting in and of
> itself. All the big companies are moving in the same direction, or at
> least want to.
>
> But here is where they will potentially fail, in my opinion. First of
> all, real time response is incredibly hard, since nobody is sure what
> response means beyond "kill that process". If you take a machine
> offline, you might interrupt a critical business function in a way that
> is not predictable. Likewise, the big data you rely on is going to be
> fed to you by your attackers once they penetrate a box.
>
> And deep down, without an offensive team, you don't know what you're
> really looking for in the first place. For example, attackers are
> quickly going to move to "C2C-less trojans" and "faster real time
> attack". There's a great talk at INFILTRATE this year on how trojans are
> going to use DRM techniques to frustrate automated analysis (INNUENDO is
> the only commercial penetration testing tool I know that does this at
> the moment, but soon it will be everywhere).
>
> Immunity's efforts in the automated malicious activity detection area
> can be seen in the El Jefe blog post above - El Jefe is free, but more
> importantly you can start to see the benefits of using process-chain
> analysis as we develop the product. The next release will tie in some
> statistical analysis to provide adaptive anomaly detection (malicious
> activity does not always mean malware - it can also mean someone just
> sitting at your desk typing weird commands!). The Cuckoo integration in
> the current release is pretty smooth as well, and we're hoping to have
> this available to the public sometime next week!
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave