“Do you believe in bible? – Totally, man, I’ve seen one!”
OK, do you believe in APT automatic remediation? In fact, have you seen one done successfully? BTW, here we define “remediation” as “putting it the way it was.”
My point is that automated remediation of compromised systems – however much desired – is also generally hopeless, especially in cases of real APT malware. Even with well-designed kernel-level EDR that records “everything” [or: the one uses fancy VM introspection approaches], making sure – and I mean 100.0% sure – that all the traces of the attacker or its creation [malware] are found and cleaned is impossible. Sure, the anti-virus guys can remediate commodity malware with decent certainty, but even there success is often incomplete or not assured…
Frankly, “APT remediation” is nuking it from orbit aka disk reimaging. In fact, given firmware persistence mechanisms, maybe this would be the only truly reliable “remediation” tool:
The practical conclusion of this, if you are getting EDR, don’t insist too hard on remediation features, you either won’t use them much or you won’t trust them….
Related blog posts on EDR:
- EDR Research Commencing: Call To Action!
- Where Does EDR End and “NG AV” Begin?
- Reality Check on EDR / ETDR
- The Future Is Here … And It Is … Network? Endpoint?
- My Paper on Endpoint Tools Publishes (2013)
- Endpoint Threat Detection & Response Deployment Architecture
- Essential Processes Around Endpoint Threat Detection & Response Tools
- Named: Endpoint Threat Detection & Response
- Endpoint Threat Indication & Response?
- Endpoint Visibility Tool Use Cases
- On Endpoint Sensing
- RSA 2013 and Endpoint Agent Re-Emergence
- All posts tagged endpoint