On May 14, 2015 at 9:28:43 AM, Anton Chuvakin ([email protected]) wrote: On Mon, May 11, 2015 at 12:20 PM, Dave Aitel <[email protected]> wrote:
And I don't know any modern HIDS company willing to offer a solution that they would claim is resilient against an attacker who already has access to the platform and can prepare counter-measures. This is, as the NSA might put it, a "somewhat challenging problem to attack". You know, this question bugged me all the time while I was researching what we now call "the EDR space." How can those agents co-exist with "advanced" attacker on the same endpoint and still deliver useful telemetry? It turned out that SOME of the vendors have in fact thought about it long and hard, and the list of tricks they use to keep reporting from the owned endpoint is long indeed. On the other hand, sad hilarity ensues when some formerly IT ops focused endpoint agents are repurposed for "APT IR".... Exactly - one of the big EDR vendors told me their product was a “rootkit” at RSA 2014.
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
