[Dailydave] "When you shoot at the king, you best not miss."

Paul Melson pmelson at gmail.com
Fri Jun 17 11:25:00 EDT 2016

Two thoughts on this mess:

1. It is exceptionally rare for a breach response investigation to find
just one actor. This is a big part of why attribution is hard.
Investigators get bits and pieces of artifacts from multiple actors,
sometimes with timelines measured in years.  (CrowdStrike's own reporting
suggests this is the case at DNC, the question is only to what degree.)
 Putting them together in any sort of conclusive narrative is almost

2. It seems possible to this civilian observer that SVR may have deployed a
cover persona and dumped the docs as a response to the CrowdStrike report,
perhaps in hopes of having a level of plausible deniability for motivations
like what Dave described in the original post.

On Fri, Jun 17, 2016 at 1:28 AM, Allen <multimode1876 at gmail.com> wrote:

> | It's entirely possible that this is a disinformation campaign, or that
> attribution is hard, and Crowdstrike made a mistake
> |
> I'm inclined to believe that while attribution may be hard there are
> entirely too many market incentives to brand any given attack with one of
> the nation state animal totems.
> The fact that attribution is frequently derived from prior intelligence
> blended with the fact that all of the source data is confidential only
> lends itself to confirmation bias. A small attribution mistake by one
> vendor can really snowball.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160617/4c36ef8e/attachment.html>

More information about the Dailydave mailing list