[Dailydave] Cyber deterrence in action

Dmitri Alperovitch dmitri at crowdstrike.com
Tue Apr 14 14:49:12 EDT 2015


Hi Daniel,

These are very good questions and while I can't get into specifics of the customers' environments and what the attackers were after, I will just gain reinforce that we have a high degree of confidence that the visibility we have gives us very high confidence that they were kicked out and went away (but again nothing is a 100% in life)

Dmitri




On 4/14/15, 1:08 PM, "Daniel Clemens" <daniel.clemens at packetninjas.net> wrote:

>
>On Apr 14, 2015, at 8:36 AM, Dmitri Alperovitch <dmitri at crowdstrike.com> wrote:
>
>> Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us and then all processes/network connections were terminated - they simply GTFO!
>
>Re:
>Unless of course they backdoored a router or switch or anything else?
>We call the team that does this BadAssAlbinoRhinos. 
>Did you have complete network traffic visibility to confirm other movement had stopped?
>
>Daniel Clemens
>
>O +1 202 747 0043 Ext 7001
>F  +1 205 449 4731
>Silent Circle: danielclemens
>
>Packet Ninjas
>http://www.packetninjas.net
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1992 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150414/61ae4ba3/attachment-0001.p7s>


More information about the Dailydave mailing list