Re: Tigers are not small.

[George Bakos <gbakos () alpinista org>]

I've posed that question to host agent-based forensics vendors, with
similar "magic" being touted as how they can still be trusted to return
untainted data in the face of malicious kernel, or hardware,
instrumentation. 

g

On Thu, 14 May 2015 10:11:11 -0400
William Arbaugh <warbaugh () gmail com> wrote:

> On May 14, 2015 at 9:28:43 AM, Anton Chuvakin (anton () chuvakin org)
> wrote: On Mon, May 11, 2015 at 12:20 PM, Dave Aitel
> <dave () immunityinc com> wrote:
>
> And I don't know any modern HIDS company willing to offer a solution
> that they would claim is resilient against an attacker who already
> has access to the platform and can prepare counter-measures. This is,
> as the NSA might put it, a "somewhat challenging problem to attack".
>
>
> You know, this question bugged me all the time while I was
> researching what we now call "the EDR space." How can those agents
> co-exist with "advanced" attacker on the same endpoint and still
> deliver useful telemetry?  It turned out that SOME of the vendors
> have in fact thought about it long and hard, and the list of tricks
> they use to keep reporting from the owned endpoint is long indeed.
> On the other hand, sad hilarity ensues when some formerly IT ops
> focused endpoint agents are repurposed for "APT IR"....
>
> Exactly - one of the big EDR vendors told me their product was a
> “rootkit” at RSA 2014.



-- 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave