Lately, I've noticed that there is a bit of a disconnect in the security community between security researchers/malware researchers and security operations personnel. Perhaps disconnect is too strong of a word -- I'm not sure. What I've noticed is that security researchers/malware researchers are most interested in attacker techniques, exploit kits, and the actual malware/payload delivery itself, while security operations personnel are most interested in timely and reliable detection and response. Where's the disconnect you ask? Well, for one, techniques, exploit kits, and payload delivery sometimes (or often times depending on the environment) fail/don't result in successful infection. So, while researchers are chasing the ever evolving/changing exploit/payload delivery landscape, security operations personnel are hungry for reliable/actionable indicators of compromise. As has been discussed previously on this blog, the most reliable/actionable indicators of compromise are usually post-infection, as it's much easier to look for unusual behavior/activity after a machine has been infected than it is to look for an infection that is about to happen or is in progress.
So, on one hand, we have a strong, bright, and energetic community discovering new techniques, exploits, and payload delivery (all pre-infection), while on the other hand, we have a dedicated and hard working community desperately seeking reliable post-infection indicators of compromise. There is a void between the pre-infection and post-infection data/intelligence, and unfortunately, there aren't a lot of people or organizations currently filling that void.
Interesting observation, but what can be done? My hope is that researchers will become more interested in post-infection activity, while at the same time, security operations personnel will become better at tracking the great pre-infection research that is going on and correlating/relating that to post-infection indicators of compromise. I am optimistic that the community will continue to improve in this regard with the proper attention and focus.
So, on one hand, we have a strong, bright, and energetic community discovering new techniques, exploits, and payload delivery (all pre-infection), while on the other hand, we have a dedicated and hard working community desperately seeking reliable post-infection indicators of compromise. There is a void between the pre-infection and post-infection data/intelligence, and unfortunately, there aren't a lot of people or organizations currently filling that void.
Interesting observation, but what can be done? My hope is that researchers will become more interested in post-infection activity, while at the same time, security operations personnel will become better at tracking the great pre-infection research that is going on and correlating/relating that to post-infection indicators of compromise. I am optimistic that the community will continue to improve in this regard with the proper attention and focus.