[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: Re: [Dailydave] Tigers are not small.
From: George Bakos <gbakos () alpinista ! org>
Date: 2015-05-22 20:22:32
Message-ID: 20150522202232.3277bce5 () alpinista ! org
[Download RAW message or body]
I've posed that question to host agent-based forensics vendors, with
similar "magic" being touted as how they can still be trusted to return
untainted data in the face of malicious kernel, or hardware,
instrumentation.
g
On Thu, 14 May 2015 10:11:11 -0400
William Arbaugh <warbaugh@gmail.com> wrote:
> On May 14, 2015 at 9:28:43 AM, Anton Chuvakin (anton@chuvakin.org)
> wrote: On Mon, May 11, 2015 at 12:20 PM, Dave Aitel
> <dave@immunityinc.com> wrote:
>
> And I don't know any modern HIDS company willing to offer a solution
> that they would claim is resilient against an attacker who already
> has access to the platform and can prepare counter-measures. This is,
> as the NSA might put it, a "somewhat challenging problem to attack".
>
>
> You know, this question bugged me all the time while I was
> researching what we now call "the EDR space." How can those agents
> co-exist with "advanced" attacker on the same endpoint and still
> deliver useful telemetry? It turned out that SOME of the vendors
> have in fact thought about it long and hard, and the list of tricks
> they use to keep reporting from the owned endpoint is long indeed.
> On the other hand, sad hilarity ensues when some formerly IT ops
> focused endpoint agents are repurposed for "APT IR"....
>
> Exactly - one of the big EDR vendors told me their product was a
> "rootkit" at RSA 2014.
>
--
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic