Like, say, that backdoor someone wrote an article about recently which ran from RAM and had a sophisticated self-destruct mechanism that erased all traces if anyone tried to dump its memory? I wonder how many companies had exploits like that which they either didn't notice or didn't have the sophistication to actually catch and dump.
There are defences for this: If one controls/monitors for every app in system for network access, as soon as any unusually network access are triggered, it is investigated and block.
In my home windows setup, only windows defender, firefox and chrome are allowed out going internet access in regular base. Everything else are blocked.
Windows update are only allowed when I in the mood for it (~once a year). Anyone can do this easily by control srvhost.exe 's internet access with windows firewall app.
> If one controls/monitors for every app in system
Quis custodiet ipsos custodes? Who monitors the monitor?
What happens when it is compromised, loopholed through, gets its inputs tampered with, etc.? For a home setup and its threat model, this sounds a simple, workable plan. When you're dealing with attacks of the level of sophistication described in the OP, trusting trust [1] becomes complicated and difficult.
I think you mean "blocked, then investigated", which it sounds like you're doing. A company running a large variety of software - particularly third party - needs to have staffing sufficient to such investigations.
