Dailydave mailing list archives
Re: More offensive security metrics and you
From: Kevin Noble <knoble () terremark com>
Date: Wed, 26 Aug 2009 09:02:17 -0400
I tend to over clock on some of Dave's teaser comment so I will post what has come to mind. Achieving a persistent presence with a low probability of detection and a low probability of eradication is achieved in subverting hardware and out of band communication. I think of the condition as 'relative superiority' as all attacks (that I know of), are temporary in nature. At some point, entrenching makes the attacker switch to defender and only the dormant can really be non-temporary (think of human virus carriers). Many have spoken of subverting firmware as means to resiliency but these are all but single methods of persistence. No one or two techniques gives an attacker 'permanent residence' status, only the methodical entrenchment of getting enough information that you could run the place in absence of the IT staff will allow one to remain. It is the dedication of becoming intimate with an organization that is so effective. One of the more interesting techniques demonstrated by Rich Smith at Immunity was frequently overwrites of byte code or even wiping of byte code in memory leaving only the stub to inject the next byte code. On the chance of detection, the byte code does not reveal past presence or overall intent (not in itself). He explained this as just one disciplined technique among many. I can image an attacker exposing some systems with routine malware just to test an incident response and build up an 'immunity' (heh) to exposure. I don't pretend to be pulling back the curtain on the topic, but I find the concept intriguing. Knoble () Terremark com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- More offensive security metrics and you dave (Aug 17)
- Re: More offensive security metrics and you dan (Aug 18)
- <Possible follow-ups>
- Re: More offensive security metrics and you Kevin Noble (Aug 26)