Re: More offensive security metrics and you

[Kevin Noble <knoble () terremark com>]

I tend to over clock on some of Dave's teaser comment so I will post what has come to mind. 

Achieving a persistent presence with a low probability of detection and a low probability of eradication is achieved in 
subverting hardware and out of band communication.  I think of the condition as 'relative superiority' as all attacks 
(that I know of), are temporary in nature.   At some point, entrenching makes the attacker switch to defender and only 
the dormant can really be non-temporary (think of human virus carriers).  Many have spoken of subverting firmware as 
means to resiliency but these are all but single methods of persistence.

No one or two techniques gives an attacker 'permanent residence' status, only the methodical entrenchment of getting 
enough information that you could run the place in absence of the IT staff will allow one to remain.  It is the 
dedication of becoming intimate with an organization that is so effective.

One of the more interesting techniques demonstrated by Rich Smith at Immunity was frequently overwrites of byte code or 
even wiping of byte code in memory leaving only the stub to inject the next byte code.  On the chance of detection, the 
byte code does not reveal past presence or overall intent (not in itself).  He explained this as just one disciplined 
technique among many. 

I can image an attacker exposing some systems with routine malware just to test an incident response and build up an 
'immunity' (heh) to exposure.  I don't pretend to be pulling back the curtain on the topic, but I find the concept 
intriguing.  

Knoble () Terremark com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave