Yes but that requires the attacker to still have access to the target, which is often not the case.
-
-
Also gives the victim's defenders a chance to detect each re-compromise (assuming detectable). And gives the victim the chance to patch or otherwise mitigate between each re-compromise (assuming protectable).
1 reply 0 retweets 0 likes -
Replying to @JasonGeffner @dwizzzleMSFT
That doesn't make any sense, attackers already need to avoid detection, and defenders can already reimage and patch or mitigate. This "persistence" thing just seems buzzwordy to me.
1 reply 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT
Avoiding detection N times is harder than avoiding detection 1 time (especially with N spanning multiple days/weeks/months). An attacker who gets a persistent foothold can prevent patching or create another backdoor, but w/o persistence they need to keep recompromising.
1 reply 0 retweets 1 like -
Replying to @JasonGeffner @dwizzzleMSFT
This still makes no sense. Unless you are proposing rolling hourly reboots, then you need to be detected before taking action and resetting to a known good state, right?
1 reply 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT
Not proposing hourly reboots :) But some device classes (phones, for example) do get restarted more than others (old-school monolithic web servers).
1 reply 0 retweets 0 likes -
Replying to @JasonGeffner @dwizzzleMSFT
Sure, perhaps weekly maybe daily at a stretch, isn't being compromised that long bad enough? I know I wouldn't feel much better if you told me an attacker had kernel code exec, but only for a few days!
1 reply 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT
Depends on the attacker's objectives. If it's stealing your browser's current cookies then a few seconds is more than enough. But if objective is capturing conversations or waiting for corporate earnings numbers to become available then attacker needs to focus on long-term.
1 reply 0 retweets 0 likes -
Replying to @JasonGeffner @dwizzzleMSFT
Right, this is an example of a minor change in approach - you recompromise after the phone is rebooted, or wait until you knew earnings are about to be released. Would you agree that lack of long term persistence does not prevent those two attacks?
1 reply 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT
If attacker can recompromise at will without detection or prevention then persistence doesn't really matter anymore. But if attacker only gets a single chance to compromise victim and objective data is not yet on victim's device then persistence does matter.
1 reply 0 retweets 0 likes
In your opinion, is that a common issue? Attackers only having a single chance to compromise, and only want data that doesn't exist yet, and won't exist before the next normal reboot (let's say, a month for patch Tuesday) - and no other way to leverage a full compromise?
-
-
Replying to @taviso @dwizzzleMSFT
Common enough in the APT space to make non-persistence a worthwhile defense-in-depth measure.
1 reply 0 retweets 0 likes -
Replying to @JasonGeffner @dwizzzleMSFT
Hah, it was rhetorical, it's not common at all. This kind of minor inconvenience happens literally all the time, some patch breaks some technique - exploitation still continues, attackers simply adjust.
1 reply 0 retweets 0 likes - 22 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.