[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    Re: [Dailydave] Blinken Lights IDS
From:       Andre Gironda <andreg () gmail ! com>
Date:       2017-03-16 18:14:32
Message-ID: CALKBUgj1oM-6YzDc-W_x1gQCWaw--SQ5oLZj6zbu8Rboq8fHDg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Thu, Mar 16, 2017 at 8:43 AM, dave aitel <dave@immunityinc.com> wrote:

> Everyone I know lived through the "Blinken-Lights-IDS" phase.

So your entire defense was situated on "Are the
> lights blinking when I'm not typing on my computer?"
> Ask yourself: How far from that have we come, really?
> 

We can still use blinkenlights --
https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/


> Honestly, the line that strikes fear into the hearts and minds of all
> SOC engineers is "How do you measure your success?". I'm on the Security
> Metrics mailing list, which has been around basically forever, and what
> they will point out is that good metrics need good data, and we have
> about zero of that in almost all aspects of this game.


Maybe we know how to measure success --
https://www.blackhat.com/docs/eu-16/materials/eu-16-Hovor-Automating-Incident-Investigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf



> While attackers
> have real numbers, the defensive process is literally evolutionary: We
> try EVERYTHING and just see which companies fail due to data breaches
> and while we don't really learn any lessons directly, maybe the next
> generation of companies will be, in some way, similar to whatever
> mutation helped.
> 

Maybe we know how to evolve the defensive process --
http://conf.splunk.com/files/2016/slides/detecting-the-adversary-post-compromise-with-threat-models-and-behavioral-analytics.pdf


dre


[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Mar 16, 2017 \
at 8:43 AM, dave aitel <span dir="ltr">&lt;<a href="mailto:dave@immunityinc.com" \
target="_blank">dave@immunityinc.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Everyone I know lived through the \
&quot;Blinken-Lights-IDS&quot; phase.</blockquote><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">So your entire defense was situated on &quot;Are \
the<br> lights blinking when I&#39;m not typing on my computer?&quot;<br>Ask \
yourself: How far from that have we come, \
really?<br></blockquote><div><br></div><div>We can still use blinkenlights -- <a \
href="https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-u \
se/">https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/</a><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"> Honestly, the line that strikes fear into \
the hearts and minds of all<br> SOC engineers is &quot;How do you measure your \
success?&quot;. I&#39;m on the Security<br> Metrics mailing list, which has been \
around basically forever, and what<br> they will point out is that good metrics need \
good data, and we have<br> about zero of that in almost all aspects of this \
game.</blockquote><div><br></div><div>Maybe we know how to measure success -- <a \
href="https://www.blackhat.com/docs/eu-16/materials/eu-16-Hovor-Automating-Incident-In \
vestigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf">https://www.blackhat.com/doc \
s/eu-16/materials/eu-16-Hovor-Automating-Incident-Investigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf</a><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex">While attackers<br> have real numbers, the \
defensive process is literally evolutionary: We<br> try EVERYTHING and just see which \
companies fail due to data breaches<br> and while we don&#39;t really learn any \
lessons directly, maybe the next<br> generation of companies will be, in some way, \
similar to whatever<br> mutation helped.<br></blockquote><div><br></div><div>Maybe we \
know how to evolve the defensive process -- <a \
href="http://conf.splunk.com/files/2016/slides/detecting-the-adversary-post-compromise \
-with-threat-models-and-behavioral-analytics.pdf">http://conf.splunk.com/files/2016/sl \
ides/detecting-the-adversary-post-compromise-with-threat-models-and-behavioral-analyti \
cs.pdf</a><br></div><div><br></div><div>dre</div><div><br></div></div></div></div>



_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic