Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C2

From: Dan Guido <dguido () gmail com>
Date: Mon, 3 Mar 2014 13:48:38 -0500
I explicitly challenged this notion ("the defender's dilemma") in research
I presented a few years back (http://www.trailofbits.com/research/#eip).
Attackers have limited resources and can't afford to invest equally in
every potential opportunity for exploitation, persistence, C2, etc. You
start to make tradeoffs about which ones work in the most situations or
satisfy other requirements you have. It's as applicable to "APT" as it is
to mass malware.

It's exactly this line of thinking that led us to build Javelin (
javelinsecurity.com), which helps you measure and understand the efficacy
of common attacker strategies against your network. Our goal is to force an
attacker's dilemma, make *them* make the difficult decisions and the
expensive investments in new tools, training and systems.

Several other papers on the same topic from MSR/WEIS:
http://weis2010.econinfosec.org/papers/session5/weis2010_herley.pdf
http://weis2011.econinfosec.org//papers/Where%20Do%20All%20the%20Attacks%20Go.pdf




On Mon, Mar 3, 2014 at 12:03 PM, Dave Aitel <dave () immunityinc com> wrote:


One rather facetious saying that has annoyed everyone for a while is the
whole "defenders have to protect everything, attackers just have to get
in once" meme. If you talk to defenders who are "leading" with new
technologies and techniques, the difference really does blur quite a
bit. I was happily surprised at the Tenable offsite to hear their big
customers describe their continuous monitoring and SIEM analytics
techniques as their network "Command and Control". It's a useful change
to a more sophisticated mindset. You don't hear people really
acknowledging an advanced persistent defense that often. :>

Of course, building proper C2C while under attack is itself very hard.
People very quickly fall into the "Big Data" trap - we try to caution
Justin from collecting more than he has to with El Jefe. We don't want
"Big Data" analysis. We want "Just enough data" analysis!

-dave








_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: