<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, May 11, 2015 at 12:20 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><br>
And I don't know any modern HIDS company willing to offer a solution
that they would claim is resilient against an attacker who already
has access to the platform and can prepare counter-measures. This
is, as the NSA might put it, a "somewhat challenging problem to
attack".<span><font color="#888888"><br>
<br></font></span></div></blockquote><div><br></div><div>You know, this question bugged me all the time while I was researching what we now call "the EDR space." How can those agents co-exist with "advanced" attacker on the same endpoint and still deliver useful telemetry? It turned out that SOME of the vendors have in fact thought about it long and hard, and the list of tricks they use to keep reporting from the owned endpoint is long indeed. On the other hand, sad hilarity ensues when some formerly IT ops focused endpoint agents are repurposed for "APT IR"....<br></div><div><br></div></div>-- <br><div><div dir="ltr"><div>Dr. Anton Chuvakin<br>Site: <a href="http://www.chuvakin.org" target="_blank">http://www.chuvakin.org</a><br>Twitter: <a href="https://twitter.com/anton_chuvakin" target="_blank">@anton_chuvakin</a><br>Work: <a href="http://www.linkedin.com/in/chuvakin" target="_blank">http://www.linkedin.com/in/chuvakin</a></div></div></div>
</div></div>