[Dailydave] Cyber deterrence in action

Dmitri Alperovitch dmitri at crowdstrike.com
Tue Apr 14 09:36:09 EDT 2015


Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us and then all processes/network connections were terminated - they simply GTFO!

Dmitri






On 4/14/15, 9:31 AM, "Andreas Lindh" <andreas at haxx.ml> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>How do you know that they've ceased their activity, couldn't it just
>as well be that they've found the Falcon's blind spot? ;-)
>
>Jokes aside, I agree totally with the message that raising the cost of
>attack is the way forward for defense, but doesn't this particular
>case effectively boil down to the same ol' "how do you know what you
>don't know?" argument?
>
>Anyway, for the sake of your clients (and everyone) I hope you're
>right. :)
>
>Andreas
>
>On 2015-04-14 06:10, Dmitri Alperovitch wrote:
>> I wanted to share with this group a blog I published earlier today
>> on how we were able to successfully get a Chinese
>> government-affiliated group (at CrowdStrike we call them Hurricane
>> Panda) to cease their multi-year campaigns against two of our
>> customers who are using our Falcon endpoint technology. This is the
>> first time we've ever seen a persistent nation state actor cease a
>> long term high priority campaign and perhaps is a great sign for
>> the future of defense.
>> 
>> Hopefully this is of interest and will spur good discussion about
>> new defense models that focus on significantly raising cost and
>> effort to the adversary to impact their cost/benefit analysis.
>> 
>> http://blog.crowdstrike.com/cyber-deterrence-in-action-a-story-of-one-
>long-hurricane-panda-campaign/
>>
>>  Best,
>> 
>> Dmitri
>> 
>> 
>> 
>> _______________________________________________ Dailydave mailing
>> list Dailydave at lists.immunityinc.com 
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>> 
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCgAGBQJVLRaYAAoJEI415gQuBbe0xYEP/1B5plpWZVU87W3EgQ6JldgC
>F+urPzrymVxC/TQimDNvRi9AxfpUPyY99t5Pkn0ugbV7L+QNNPAPIVLW/dcl2nAQ
>fZ8wOj7UvCCq0OagF9gvGUTRG8THrZX9MQHrUUqFQif3eTwENT4g53Ty0IJtUDCb
>uHakpOj5aClvKKc1ngK7TLUm8oApexTOs7FSGryVsOXipSUgI2VNXcXQRMm/spSg
>USUQMSRi+qjAzjbUGHmyzH0PMnD+qBxhChPGLGWrVRazH5fs5wAeZ70QCSE/XUO1
>TCievXrDwSsLUIt/XVwR7cnJOB7gexUBWtqWxIeLMjWYCiukF7BnamUUAhaA8/fU
>B4/lDuK2yfw7JtkZi3gWA+g+yTFRMN0brk4KIR3qTE+NDFFW4OZhLzQ95gteO0KG
>oz0IFolkURG/kqAY7m8RaRKXjUVenQ2++aY0+fqAMIj8o2gjtPc6/AQwCuQu8GJ0
>CDnabgoVqdbvaj5yduJALtz7+iPiYoKPcXuFyhYKKnk6x5XLdSKM0zZ7bPrMNQ1+
>+nbJD5uZhZipLqe9Vg3hvUb6luIaqd/9iYMz3tbqLcR2ye4QHZA6gbgwM/Nm0f2S
>NYcAFOJjt4n+lhjr7V9IPtpqIhG2w/aqqtje1mNm3Bu0s3SjoMlhAYAwAt1i9f6x
>jvfHEf3JdNNRrQqacfje
>=AoLn
>-----END PGP SIGNATURE-----
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1992 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150414/2b180f30/attachment.p7s>


More information about the Dailydave mailing list