So I wanted to respond to this post which starts "If someone exploits an
0day they still have to setup C2 - this is where TTPs are generated that
Blue Teams can win against". And I think for the past year I've gone on a
huge journey of discovery, annoying my Cyber Threat Intelligence friends to
no end as I ask annoying questions like "After you put some random
non-googlable name up, like PLATINUM, can you just add a little flag so I
know what country you're talking about?""
(Argh. The whole point of codenames is they are UNIQUE and easy to search
for. This is like naming your OS "Windows" I guess.)
Anyways, imagine if seventeenth century biologists were reporting to the
newly established Royal Society and they were talking about counting all
the animals and doing studies on animals and of course what they used to do
that were the various animals that kings and whatnot had gotten stuffed and
sent to them. I feel like you would find out that almost all animals had
fur and were easily shot by muskets or stabbed with spears! I guess my
point here being: Cyber Threat Intelligence is in a very hard place right
now, despite soaring revenues and many exciting trophies on the wall.
What you hear, over and over again, is that yes, detecting exploitation is
hard, but you will be able to detect "lateral movement" and see the command
and control traffic, and when attackers need to "accomplish their mission"
they will therefore be detectable. And this is true - for some missions,
and for some operational concepts
that accomplish those missions. But we fail when we don't consider other
operational concepts and other missions. Apparently we call the many
reasons we fail to turn data into warnings and then into action:
Good marketing from XDR companies is a pathology in this space. And that
pathology goes to the highest levels - when we have leaders in govt say "We
don't see any serious Log4J exploitation" we have to think "Wait, we have
almost no visibility for Unix targets though". Even when we have the right
telemetry, we don't have the right analysis.
I like to probe our pathologies with annoying questions:
- What percentage of worms do we see?
- What happens when people don't use a C2 but just drop an implant?
- Who are the hacker groups focusing only on Unix?
- What percentage of 0day do we really even find?
- Are we looking only at our adversary's actions, or also our own to
But more than that, we are not self-conscious in the way that we should be
about our own analytical pathologies. This is because our academic
structure for peer review and everything else in this space is pretty
busted. Anyways, there's more to the world out there than just lions and
antelope and espionage RATs. To see the really interesting things you need
a microscope, and the kind of eyes that want to squint through the lenses
of microscopes we haven't even built yet.