[Dailydave] Tigers are not small.

William Arbaugh warbaugh at gmail.com
Thu May 14 10:11:11 EDT 2015


On May 14, 2015 at 9:28:43 AM, Anton Chuvakin (anton at chuvakin.org) wrote:
On Mon, May 11, 2015 at 12:20 PM, Dave Aitel <dave at immunityinc.com> wrote:

And I don't know any modern HIDS company willing to offer a solution that they would claim is resilient against an attacker who already has access to the platform and can prepare counter-measures. This is, as the NSA might put it, a "somewhat challenging problem to attack".


You know, this question bugged me all the time while I was researching what we now call "the EDR space." How can those agents co-exist with "advanced" attacker on the same endpoint and still deliver useful telemetry?  It turned out that SOME of the vendors have in fact thought about it long and hard, and the list of tricks they use to keep reporting from the owned endpoint is long indeed.  On the other hand, sad hilarity ensues when some formerly IT ops focused endpoint agents are repurposed for "APT IR"....

Exactly - one of the big EDR vendors told me their product was a “rootkit” at RSA 2014.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150514/227f61b4/attachment.html>


More information about the Dailydave mailing list