[Dailydave] Tigers are not small.
George Bakos
gbakos at alpinista.org
Fri May 22 16:22:32 EDT 2015
I've posed that question to host agent-based forensics vendors, with
similar "magic" being touted as how they can still be trusted to return
untainted data in the face of malicious kernel, or hardware,
instrumentation.
g
On Thu, 14 May 2015 10:11:11 -0400
William Arbaugh <warbaugh at gmail.com> wrote:
> On May 14, 2015 at 9:28:43 AM, Anton Chuvakin (anton at chuvakin.org)
> wrote: On Mon, May 11, 2015 at 12:20 PM, Dave Aitel
> <dave at immunityinc.com> wrote:
>
> And I don't know any modern HIDS company willing to offer a solution
> that they would claim is resilient against an attacker who already
> has access to the platform and can prepare counter-measures. This is,
> as the NSA might put it, a "somewhat challenging problem to attack".
>
>
> You know, this question bugged me all the time while I was
> researching what we now call "the EDR space." How can those agents
> co-exist with "advanced" attacker on the same endpoint and still
> deliver useful telemetry? It turned out that SOME of the vendors
> have in fact thought about it long and hard, and the list of tricks
> they use to keep reporting from the owned endpoint is long indeed.
> On the other hand, sad hilarity ensues when some formerly IT ops
> focused endpoint agents are repurposed for "APT IR"....
>
> Exactly - one of the big EDR vendors told me their product was a
> “rootkit” at RSA 2014.
>
--
More information about the Dailydave
mailing list