Re: The Blue Pill of Threat Intelligence

[Curt Wilson <curtwilson618 () gmail com>]

It seems to me that leveraging internal telemetry for accurate and relevant
threat intelligence should be the first step. Anomalous traffic from a
central management server for PoS infrastructure to unknown FTP servers
should be a big red flag, for example. Implementing the proper
instrumentation and maintaining it adequately I would think should be a
priority.

I think back to one of the targeted threats  -I believe it may have been
Duqu - that used a fresh C2 every time with no reuse. A reputation feed is
going to have a hard time dealing with this scenario.

When I worked at the University, we got a lot of mileage from monitoring
DNS logs. While we leveraged the external indicators, we could also
determine through context and find threats that were not yet known.

Of course having meaningful threat intelligence data from external sources
can be widely beneficial in the case of threat actors reusing
infrastructure. And while we know this happens, I would not want to put all
of my eggs simply in that basket without high quality and high fidelity
internal telemetry.

On Thursday, October 16, 2014, Matthew Wollenweber <mwollenweber () gmail com>
wrote:

> Foremost, I love your observation that: "[threat intel products] offers
> malware analysis, even though the massively expensive undertaking helps
> nobody but the threat intelligence company, as it resells that information
> to other customers. I find that who system/approach to be unethical and my
> best to keep my employer out of those systems. However, threat intel can be
> useful to enterprises in a variety of mechanisms. First, it provides
> specific indicators that can be blocked or thwarted. For any specific
> enterprise, that's one less thing. One can argue there's always another
> vector, which is true but that's an implicit argument with any open ended
> problem. However,it leads to a second observation that if trusted
> communities can share threat intel (or even if untrusted communities can
> share fast enough) it significantly drives up cost for the attacker. Again
> the attacker can change, but it gets expensive/troublesome to do so
> rapidly. If you talk to many threat intel guys they dig into the known
> actors because they reuse so many resources, techniques, code etc. Causing
> them to change more rapidly might make efforts unprofitable (when profit is
> the goal) or too expensive. Because I see this utility, my struggle is how
> to obtain and share the labor intensive work given that companies want to
> make money and without the shady business of semi-sharing and reselling.
>
> I'm unsure about your assertion "Instead, they've been taught to look at a
> compromised computer to see what processes they can remove to make it clean
> again". Only speaking from my experience, at the enterprise level, no one
> wants to clean compromised computers. It's far too much work and it's not
> my computer. We do our best to enforce wiping the systems. When we do
> forensics, we do so to determine if any regulated data was on the system
> and if it was, did it leave our network. If so, that's a reportable breach
> and something no one wants to do. In those cases malware analysis and any
> threat intelligence is extremely useful. Understanding how the system was
> compromised, what the malware does, and the expected/trend behavior of the
> actors helps understand what happened and (assuming it's true) assert that
> regulated/controlled data was not breached.
>
> There are likely better ways, but above is the best that some smart
> coworkers and I can actually accomplish to keep our employer out of the
> Post.
>
>
>
>
>
>
> On Wed, Oct 15, 2014 at 11:59 AM, Dave Aitel <dave () immunityinc com
> <javascript:_e(%7B%7D,'cvml','dave () immunityinc com');>> wrote:
>
> > http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
> >
> > In this article I go over "Threat Intelligence". And I'm a little hard
> > on it because I think it has to make a choice, and soon. In one hand, is
> > a pill that takes it down the road to AV-like financial success, but
> > strategic failure. And in the other hand, the current models are only
> > stepping stones towards offerings that provide true strategic
> > situational awareness to their clients, so their clients can build
> > customized incident response programs that really work.
> >
> > Honestly, I think because of the way VC-funded firms work, we may end up
> > taking the blue pill, which is unfortunately for companies, but good for
> > those of us doing offense.
> >
> > -dave
> >
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunityinc com
> > <javascript:_e(%7B%7D,'cvml','Dailydave () lists immunityinc com');>
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> --
> Matthew Wollenweber
> m <javascript:_e(%7B%7D,'cvml','mjw () cyberwart com');>wollenweber () gmail com
> <javascript:_e(%7B%7D,'cvml','wollenweber () gmail com');>
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave