← @kwm Twitter archive
Keith
@kwm
2/ Detecting memory-only attacks as a forensic analyst is relatively easy. To do it automatically, accurately and at scale is non-trivial.
7/18/2016, 4:30:41 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
3/ If detecting memory-only attacks at scale was easy, we'd have a capable product and we wouldn't be having this dialog.
7/18/2016, 4:31:04 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
4/ The fundamental problem: For every clever technique that detects a class of attack, there will be an equally clever evasion.
7/18/2016, 4:31:17 PM
Favs: 1
Retweets: 0
linkKeith
@kwm
5/ For the hardest and/or newest of problems, it will always be unrealistic to expect reliable detection from products alone.
7/18/2016, 4:31:27 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
6/ Reality: $product misses memory-only attacks. We rely on people + other data + analysis to detect delivery, lateral movement, exfil.
7/18/2016, 4:31:38 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
7/ I agree that we need better memory-only detection, but I tend not to focus on product shortcomings unless said product promises as much.
7/18/2016, 4:31:50 PM
Favs: 0
Retweets: 0
link