Finding the money shot is key to successfully containing an emerging threat. What do I mean by the money shot? That would be the point at which the point of no return is passed in a security incident. In most malicious code incidents, this is where a binary reaches a system (via HTTP download, email, or some other means) and successfully executes. It's fairly common nowadays to see 2, 3, 4, or more re-directs from one compromised or malicious site to another before finally reaching the money shot. But trying to keep up with blocking/containing all the stage 1, stage 2, etc. re-direct domains is an exhausting and futile process. On top of that, it's an extremely false positive prone undertaking that could have a fair bit of collateral damage as well (in terms of blocking traffic necessary for business operations). Focus on the money shot first. That's where the most containment bang for the buck is to be found. It's the only chance we as practitioners have at keeping up with the ever-changing landscape. It's all about the money shot.
Followers
Blog Archive
About Me
- Josh Goldfarb
- Josh (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh’s blogging and public speaking appearances, he is also a regular contributor to DarkReading and SecurityWeek.
No comments:
Post a Comment