[ale] Predicting "bad actor" actions WAS Re: Replacing shared host?

Jerald Sheets questy at gmail.com
Thu Dec 20 13:59:41 EST 2018


Actually, it’s rather easy to not only detect, but to interact with users “doing things”™ on your network to predict coming  behavior based on actions.

For instance, we have a detection mechanism that will watch the edge for new connects. As the connects ramp up (brute force, for instance), we’ll send a single ack back with payload. As soon as the actor “sees” the ack, they actually tear down their complete infrastructure in one cloud, and then stand it up elsewhere. By this point, the signature for their methods is recorded and part of the threat intelligence mesh. Next time we see them, we ack the packet immediately instead of “waiting” for additional behavior to produce the behavior signature.

Many times we see payloads and requests we do not recognize, but can heuristically determine whether it’s a bot (standard rootkits, published and “found” attack).  Behavior we see on the edge sometimes is a brand new attempt and the feedback loop time until its in our threat intelligence can be measured in seconds if the SOC determines its an active threat.  

It’s not uncommon to be protecting against 0-day assaults before they’re even publicized.

> On Dec 20, 2018, at 1:46 PM, Leam Hall via Ale <ale at ale.org> wrote:
> 
> 
> 
> I agree, DO, AWS, or whomever trying to PREDICT a customer's actions is next to impossible. That's why Rich's e-mail is so valuable; the business should monitor and respond to improper behavior. That way they are dealing with facts and evidence, not guesses about potential behavior.
> 



—j


More information about the Ale mailing list