Full Disclosure mailing list archives
Re: Linux - Indicators of compromise
From: Scott Solmonson <scosol () scosol org>
Date: Fri, 20 Jul 2012 10:53:38 -0700
It seems that English isn't your first language, so no problem with the confusion- "don't isolate, monitor spread tactics, perceptually contain and then analyse." Isolation in an INFOSEC sense means actual measures to stop actual actions. The short version looks like "we've got all the information we need, it's time to seal this bitch in a cage". Before that point is reached, the most important thing is to monitor without damage to determine behaviors and tactics, hence "perceptually contain"; in order to anticipate future actions. Imagine thousands of VMs spun up on a fully simulated IP space with a full suite honeypot profile- Let the cows roam, see where they find grass... Your analysis of my explanation:
1) Let hacker run amok so you can see them is run amok 2) Once hacker is run amok, steal your bread and is butter, wipe your systems, restore 3) Go back and is learn why they steal and delete.
1) an enemy can not be countered unless it can be understood 2) that bread and butter was put there, by me, on purpose 3) simple knowledge is power, motivational knowledge is godlike 4) ??? 5) profit! -- NUNQUAM NON PARATUS ☤ INCITATUS ÆTERNUS On Thu, Jul 19, 2012 at 6:18 AM, Григорий Братислава <musntlive () gmail com> wrote:
On Wed, Jul 18, 2012 at 12:20 PM, Scott Solmonson <scosol () scosol org> wrote:Shortcutting other responses-2) assume the worst, don't isolate, monitor spread tactics, perceptually contain and then analyse.This is make sense! Do not isolate. Let hacker run rampant in is your network. Because if they is damage your network in is process of not isolating them, is ok if they is steal and delete. You get to see what is they stole after is gone, and after they is wipe your system. This is good advice yes, help test your BC/DR! MusntLive like absurd and obscure approach!Endgame is always close the hole, restore the data, learn from your mistakes that allowed it to happen :)MusntLive is love your advice! According to you: 1) Let hacker run amok so you can see them is run amok 2) Once hacker is run amok, steal your bread and is butter, wipe your systems, restore 3) Go back and is learn why they steal and delete. MusntLive think answer for #3) is logic one: "Idiot admin allowed is this to happen"
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux - Indicators of compromise, (continued)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 28)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 30)
- Re: Linux - Indicators of compromise jerry (Jul 28)
- Re: Linux - Indicators of compromise Bzzz (Jul 16)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 16)
- Re: Linux - Indicators of compromise coderman (Jul 16)
- Re: Linux - Indicators of compromise Jerry Bell (Jul 19)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 19)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 19)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 23)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 19)
- Re: Linux - Indicators of compromise Ali Varshovi (Jul 16)
- Re: Linux - Indicators of compromise Ali Varshovi (Jul 16)
- Re: Linux - Indicators of compromise Benji (Jul 16)
- Re: Linux - Indicators of compromise coderman (Jul 16)
- Re: Linux - Indicators of compromise Ali Varshovi (Jul 19)
- Re: Linux - Indicators of compromise Ali Varshovi (Jul 19)