Dailydave mailing list archives
Re: Defeating what's next
From: Ben Miller <ben () electricfork com>
Date: Thu, 13 Jun 2013 12:40:41 -0400
so I think one of the more powerful thing about IOCs is that it is open. To Havlar's point, this assists in forming communities and establishing confidence. Incidentally, communities and confidence is not something bad guys are generally lacking but defenders are. A stack of IOCs can also better inform a defender on what to expect. For instance, the sequence of IOCS of an attack may outline a dropper, benign document, a trojan and 10 minute C2 callbacks is not merely "a collection of IOCs" but it also tells a story. A story about the TTPs used. You can now broaden the blacklist concept to tactics such as "look for a word document in %temp% and executables with identical timestamps". IOCs can assist in moving from one sole defender defending to a community of defenders defending. That, in theory, makes for a more informed and speedy defender. Note: I did not say OODA loop once; even at the end. -b On Wed, Jun 12, 2013 at 1:42 PM, Halvar Flake <HalVar () gmx de> wrote:
Hey all, with all the IOC-bashing, I think I need to supply some compelling arguments in favour of them: - We know how to look for them. If I lose my wallet in some dark alley where I am near-blind, it is clearly more reasonable to go to a different street with better streetlights to look for it. Everything else would require me getting better technology, and nobody has time for that. - They make for a great business model. Empires were build on AV signatures, but it was considered bad form to charge more for signatures of particularly nasty malware. Re-branded as IOCs, I can finance decent-sized teams to analyze malware, and then sell individual IOCs for good money. IOCs are not -yet- better than AV signatures (if measured by aggregate stock value of companies involved), but that might change with a few IPOs. - They are community-bond-forming. A good IOC for an important group of attackers can be shared between a trusted group of people, so if I get owned and notice it, I at least have the consolation that I can build a cool IOC from it, and feel important in my peer group. I can trade, barter, and generally form a much more tightly-knit community. It's literally the success of "Magic - The Gathering" brought back to the IT security world. - They're good for people's confidence. Holding a secret IOC is the defensive version of holding a non-public exploit. You can feel powerful, and for your particular adversary, it may or may not work, or it may be patched any day. Perhaps it's methadone - not quite the real thing, but keeps the really heavy craving away. On a more serious note: Dave, no offense, but you sound like me during every stock bubble. "But ... but .... this is a bubble, it will burst !" - that is true, but in the meantime, fortunes are made, and the person with a macro view stays poor. :-P Cheers, Halvar PS: I actually think that IOCs can be quite useful - if they are built to generalize well and if you manage to keep them away from the attackers. That, though, can be the hard part. PPS: Perhaps a discussion about "technology X being bad" is like Chessplayers debating why pawns suck. In the end, everybody would like to have 8 queens, but you'll have to play with what you have. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Defeating what's next, (continued)
- Re: Defeating what's next Arrigo Triulzi (Jun 12)
- Re: Defeating what's next Nick Selby (Jun 12)
- Re: Defeating what's next security curmudgeon (Jun 12)
- Re: Defeating what's next Brad Andrews (Jun 12)
- Re: Defeating what's next Kristian Erik Hermansen (Jun 12)
- Re: Defeating what's next Vitaly Osipov (Jun 13)
- Re: Defeating what's next Moses (Jun 14)
- Re: Defeating what's next Val Smith (Jun 17)
- Re: Defeating what's next toby (Jun 17)
- Re: Defeating what's next Halvar Flake (Jun 12)
- Re: Defeating what's next Ben Miller (Jun 13)