I mean you do have a point where the attack originated on the end target. In other scenarios, losing persistence on a foothold you are pivoting from to a broad network compromise is an actual cost driver.
-
-
Replying to @dwizzzleMSFT
I'm pretty skeptical there's any benefit. If today's playbook assumes persistence is trivial, then sure, there's a one-time cost to re-tool when that changes, but that's true of lots of low-quality mitigations...
2 replies 0 retweets 7 likes -
Replying to @taviso
What do you mean by retool in this case? Find a new method to achieve persistence or change approach to not assume persistence?
1 reply 0 retweets 0 likes -
Replying to @dwizzzleMSFT
It doesn't seem like much more than a minor inconvenience, so just changing approach. We're on the same page that making "persistence" hard means an attacker has a full chain, but after reboot the device is in a known-good state, and attacker can just re-compromise?
3 replies 0 retweets 1 like -
Replying to @taviso @dwizzzleMSFT
For one-click or worse exploits that's a concern.. you'd want to persist in the target environment somewhere privileged enough to reinject without click if not the actual target device. You need a bigger inventory of exploits and take the observable risk of attacking environment
1 reply 0 retweets 8 likes -
Replying to @richinseattle @dwizzzleMSFT
Not sure I agree, persistence isn't the goal, the attacker wanted something (e.g. access to data). I don't understand the rationale behind "Don't worry, the attacker achieved their goal, but if you reboot they will be slightly inconvenienced!". Well, thanks....?
4 replies 1 retweet 9 likes -
Replying to @taviso @dwizzzleMSFT
We can't presume a gov't only needs access once or that the time in which they can deploy the exploit is the same time in which they need access to the device. All we know is the goal is to gain access, not for what reason or how long.
1 reply 0 retweets 7 likes -
Replying to @richinseattle @dwizzzleMSFT
Um.... Isn't presuming how long an attacker requires *exactly* what you're doing? I'm saying, that they achieved full compromise, why do you presume that isn't sufficient?
2 replies 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT
Because the discussion was about persistence already. I'm not introducing the concept, you're trying to close the door on that part of the convo. Since we can't know if it's relevant, both positions are equally wrong :p
1 reply 0 retweets 1 like -
Monitoring journalists is a pretty obvious use case here. If it's a obvious chain, like send message -> open file it's probably not something you'd want to do more than once.
1 reply 0 retweets 0 likes
Three issues: firstly, isn't a complete compromise bad enough? Secondly, "anti-persistence" just means it's easier to reset to a known good state than reimaging, unless you're proposing rolling reboots, so what? Thirdly, don't journalists open lots of documents? Easy to repeat.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.