Re: Defeating what's next

[Ben Miller <ben () electricfork com>]

so I think one of the more powerful thing about IOCs is that it is open. To
Havlar's point, this assists in forming communities and establishing
confidence. Incidentally, communities and confidence is not something bad
guys are generally lacking but defenders are.

A stack of IOCs can also better inform a defender on what to expect. For
instance, the sequence of IOCS of an attack may outline a dropper, benign
document, a trojan and 10 minute C2 callbacks is not merely "a collection
of IOCs" but it also tells a story. A story about the TTPs used. You can
now broaden the blacklist concept to tactics such as "look for a word
document in %temp% and executables with identical timestamps".

IOCs can assist in moving from one sole defender defending to a community
of defenders defending.  That, in theory, makes for a more informed and
speedy defender. Note: I did not say OODA loop once; even at the end.

-b


On Wed, Jun 12, 2013 at 1:42 PM, Halvar Flake <HalVar () gmx de> wrote:

> Hey all,
>
> with all the IOC-bashing, I think I need to supply some compelling
> arguments in favour of them:
>
> - We know how to look for them. If I lose my wallet in some dark alley
> where I am near-blind, it is clearly more reasonable to go to a
> different street with better streetlights to look for it. Everything
> else would require me getting better technology, and nobody has time for
> that.
>
> - They make for a great business model. Empires were build on AV
> signatures, but it was considered bad form to charge more for signatures
> of particularly nasty malware. Re-branded as IOCs, I can finance
> decent-sized teams to analyze malware, and then sell individual IOCs for
> good money. IOCs are not -yet- better than AV signatures (if measured by
> aggregate stock value of companies involved), but that might change with
> a few IPOs.
>
> - They are community-bond-forming. A good IOC for an important group of
> attackers can be shared between a trusted group of people, so if I get
> owned and notice it, I at least have the consolation that I can build a
> cool IOC from it, and feel important in my peer group. I can trade,
> barter, and generally form a much more tightly-knit community. It's
> literally the success of "Magic - The Gathering" brought back to the IT
> security world.
>
> - They're good for people's confidence. Holding a secret IOC is the
> defensive version of holding a non-public exploit. You can feel
> powerful, and for your particular adversary, it may or may not work, or
> it may be patched any day. Perhaps it's methadone - not quite the real
> thing, but keeps the really heavy craving away.
>
> On a more serious note: Dave, no offense, but you sound like me during
> every stock bubble. "But ... but .... this is a bubble, it will burst !"
> - that is true, but in the meantime, fortunes are made, and the person
> with a macro view stays poor. :-P
>
> Cheers,
> Halvar
> PS: I actually think that IOCs can be quite useful - if they are built
> to generalize well and if you manage to keep them away from the
> attackers. That, though, can be the hard part.
> PPS: Perhaps a discussion about "technology X being bad" is like
> Chessplayers debating why pawns suck. In the end, everybody would like
> to have 8 queens, but you'll have to play with what you have.
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave