[Dailydave] Cyber deterrence in action

Daniel Clemens daniel.clemens at packetninjas.net
Tue Apr 14 13:08:06 EDT 2015


On Apr 14, 2015, at 8:36 AM, Dmitri Alperovitch <dmitri at crowdstrike.com> wrote:

> Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us and then all processes/network connections were terminated - they simply GTFO!

Re:
Unless of course they backdoored a router or switch or anything else?
We call the team that does this BadAssAlbinoRhinos. 
Did you have complete network traffic visibility to confirm other movement had stopped?

Daniel Clemens

O +1 202 747 0043 Ext 7001
F  +1 205 449 4731
Silent Circle: danielclemens

Packet Ninjas
http://www.packetninjas.net





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150414/933a9c80/attachment.sig>


More information about the Dailydave mailing list