1) 'Detection' products will never detect the most advanced, targeted attacks. We must continually push boundaries on mitigating technologies. This is a gradual process that takes time.
-
-
Replying to @depletionmode @taviso and
2) A vuln is worthless if non-exploitable due to mitigation. It follows, therefore, that there being a market for these things today that mitigations in the field are currently ineffective in specific scenarios
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
3) A vuln is useless without some follow-up post-exploitation action (the obvious) 4) The folk purchasing these vulns aren't always sophisticated enough to come up with their own variants of (3) ad infinitum. Some are, some are not.
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
5) Those that are, we're back at (1), but at some point, that function may change even for those folk (we're not there yet).
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
6) Those that aren't, often they're also not sophisticated enough not to trip over some simple, stupid detection. Therefore, that detection had value for the endpoint that now has visibility into the attack
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
7) The better the detection coverage, the higher the chance of detecting the attacker of level in (6). Developing these detection technologies is not cheap (as has been pointed out quite well).
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
On the other hand, cost is balanced against the (a) value to the endpoint of detecting such an attack, (b) value to the vendor of potentially discovering the vulnerability that lead to the detection (I have empirically that this happens)
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
8) The industry isn't *all* snake oil (although there's enough of that to go around). Fact is that detection solutions have an important place in the current landscape.
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
Now in respect to SGRA specifically. Much focus today on a single piece of detection logic around a known invariant technique. We all know detection easily bypassable (today) by introducing a temporal element.
1 reply 0 retweets 0 likes -
Replying to @depletionmode @taviso and
However, my position is that it *may* become more difficult when the post-exploitation action is forced to be more persistent in nature (e.g. certain 'jailbreak' scenarios).
3 replies 0 retweets 0 likes
You don't have to restate your position, I get it. A colander literally blocks billions of water molecules, that's a really big number. You've seen it with your own eyes. Why can't I just agree that a dam made of colanders is better than nothing?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.