Dailydave mailing list archives

Re: Cyber deterrence in action

From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Tue, 14 Apr 2015 12:08:06 -0500


On Apr 14, 2015, at 8:36 AM, Dmitri Alperovitch <dmitri () crowdstrike com> wrote:

Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - 
process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone 
through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us 
and then all processes/network connections were terminated - they simply GTFO!


Re:
Unless of course they backdoored a router or switch or anything else?
We call the team that does this BadAssAlbinoRhinos. 
Did you have complete network traffic visibility to confirm other movement had stopped?

Daniel Clemens

O +1 202 747 0043 Ext 7001
F  +1 205 449 4731
Silent Circle: danielclemens

Packet Ninjas
http://www.packetninjas.net

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Cyber deterrence in action Dmitri Alperovitch (Apr 14)
- Re: Cyber deterrence in action Andreas Lindh (Apr 14)
  - Re: Cyber deterrence in action Dmitri Alperovitch (Apr 14)
    - Re: Cyber deterrence in action Daniel Clemens (Apr 14)
    - Re: Cyber deterrence in action Dmitri Alperovitch (Apr 14)