[ale] Predicting "bad actor" actions WAS Re: Replacing shared host?

Simba simbalion-ale at tailpuff.net
Thu Dec 20 16:04:26 EST 2018 

You should sell your method to hosting companies, if it's as great as
you say. I'm sure many of them would appreciate a plug-in appliance that
can do what you're talking about.

Simba Lion - https://tailpuff.net
https://keybase.io/simbalion

"Why is a raven like a writing desk?"

On 12/20/18 1:59 PM, Jerald Sheets via Ale wrote:
> Actually, it’s rather easy to not only detect, but to interact with users “doing things”™ on your network to predict coming  behavior based on actions.
> 
> For instance, we have a detection mechanism that will watch the edge for new connects. As the connects ramp up (brute force, for instance), we’ll send a single ack back with payload. As soon as the actor “sees” the ack, they actually tear down their complete infrastructure in one cloud, and then stand it up elsewhere. By this point, the signature for their methods is recorded and part of the threat intelligence mesh. Next time we see them, we ack the packet immediately instead of “waiting” for additional behavior to produce the behavior signature.
> 
> Many times we see payloads and requests we do not recognize, but can heuristically determine whether it’s a bot (standard rootkits, published and “found” attack).  Behavior we see on the edge sometimes is a brand new attempt and the feedback loop time until its in our threat intelligence can be measured in seconds if the SOC determines its an active threat.  
> 
> It’s not uncommon to be protecting against 0-day assaults before they’re even publicized.
> 
>> On Dec 20, 2018, at 1:46 PM, Leam Hall via Ale <ale at ale.org> wrote:
>>
>>
>>
>> I agree, DO, AWS, or whomever trying to PREDICT a customer's actions is next to impossible. That's why Rich's e-mail is so valuable; the business should monitor and respond to improper behavior. That way they are dealing with facts and evidence, not guesses about potential behavior.
>>
> 
> 
> 
> —j
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list