Dailydave mailing list archives
Re: The Blue Pill of Threat Intelligence
From: Matthew Wollenweber <mwollenweber () gmail com>
Date: Thu, 16 Oct 2014 13:14:42 -0400
Foremost, I love your observation that: "[threat intel products] offers malware analysis, even though the massively expensive undertaking helps nobody but the threat intelligence company, as it resells that information to other customers. I find that who system/approach to be unethical and my best to keep my employer out of those systems. However, threat intel can be useful to enterprises in a variety of mechanisms. First, it provides specific indicators that can be blocked or thwarted. For any specific enterprise, that's one less thing. One can argue there's always another vector, which is true but that's an implicit argument with any open ended problem. However,it leads to a second observation that if trusted communities can share threat intel (or even if untrusted communities can share fast enough) it significantly drives up cost for the attacker. Again the attacker can change, but it gets expensive/troublesome to do so rapidly. If you talk to many threat intel guys they dig into the known actors because they reuse so many resources, techniques, code etc. Causing them to change more rapidly might make efforts unprofitable (when profit is the goal) or too expensive. Because I see this utility, my struggle is how to obtain and share the labor intensive work given that companies want to make money and without the shady business of semi-sharing and reselling. I'm unsure about your assertion "Instead, they've been taught to look at a compromised computer to see what processes they can remove to make it clean again". Only speaking from my experience, at the enterprise level, no one wants to clean compromised computers. It's far too much work and it's not my computer. We do our best to enforce wiping the systems. When we do forensics, we do so to determine if any regulated data was on the system and if it was, did it leave our network. If so, that's a reportable breach and something no one wants to do. In those cases malware analysis and any threat intelligence is extremely useful. Understanding how the system was compromised, what the malware does, and the expected/trend behavior of the actors helps understand what happened and (assuming it's true) assert that regulated/controlled data was not breached. There are likely better ways, but above is the best that some smart coworkers and I can actually accomplish to keep our employer out of the Post. On Wed, Oct 15, 2014 at 11:59 AM, Dave Aitel <dave () immunityinc com> wrote:
http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13 In this article I go over "Threat Intelligence". And I'm a little hard on it because I think it has to make a choice, and soon. In one hand, is a pill that takes it down the road to AV-like financial success, but strategic failure. And in the other hand, the current models are only stepping stones towards offerings that provide true strategic situational awareness to their clients, so their clients can build customized incident response programs that really work. Honestly, I think because of the way VC-funded firms work, we may end up taking the blue pill, which is unfortunately for companies, but good for those of us doing offense. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
-- Matthew Wollenweber m <mjw () cyberwart com>wollenweber () gmail com
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The Blue Pill of Threat Intelligence Dave Aitel (Oct 15)
- Re: The Blue Pill of Threat Intelligence Zack (Oct 15)
- Re: The Blue Pill of Threat Intelligence al bell (Oct 17)
- Re: The Blue Pill of Threat Intelligence Zack Payton (Oct 17)
- Re: The Blue Pill of Threat Intelligence al bell (Oct 17)
- Re: The Blue Pill of Threat Intelligence Matthew Wollenweber (Oct 17)
- Re: The Blue Pill of Threat Intelligence Curt Wilson (Oct 20)
- Re: The Blue Pill of Threat Intelligence Harry Hoffman (Oct 20)
- Re: The Blue Pill of Threat Intelligence Zack (Oct 15)