
Dailydave mailing list archives
Re: Cyber deterrence in action
From: Dmitri Alperovitch <dmitri () crowdstrike com>
Date: Tue, 14 Apr 2015 13:36:09 +0000
Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us and then all processes/network connections were terminated - they simply GTFO! Dmitri On 4/14/15, 9:31 AM, "Andreas Lindh" <andreas () haxx ml> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 How do you know that they've ceased their activity, couldn't it just as well be that they've found the Falcon's blind spot? ;-) Jokes aside, I agree totally with the message that raising the cost of attack is the way forward for defense, but doesn't this particular case effectively boil down to the same ol' "how do you know what you don't know?" argument? Anyway, for the sake of your clients (and everyone) I hope you're right. :) Andreas On 2015-04-14 06:10, Dmitri Alperovitch wrote:I wanted to share with this group a blog I published earlier today on how we were able to successfully get a Chinese government-affiliated group (at CrowdStrike we call them Hurricane Panda) to cease their multi-year campaigns against two of our customers who are using our Falcon endpoint technology. This is the first time we've ever seen a persistent nation state actor cease a long term high priority campaign and perhaps is a great sign for the future of defense. Hopefully this is of interest and will spur good discussion about new defense models that focus on significantly raising cost and effort to the adversary to impact their cost/benefit analysis. http://blog.crowdstrike.com/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/Best, Dmitri _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJVLRaYAAoJEI415gQuBbe0xYEP/1B5plpWZVU87W3EgQ6JldgC F+urPzrymVxC/TQimDNvRi9AxfpUPyY99t5Pkn0ugbV7L+QNNPAPIVLW/dcl2nAQ fZ8wOj7UvCCq0OagF9gvGUTRG8THrZX9MQHrUUqFQif3eTwENT4g53Ty0IJtUDCb uHakpOj5aClvKKc1ngK7TLUm8oApexTOs7FSGryVsOXipSUgI2VNXcXQRMm/spSg USUQMSRi+qjAzjbUGHmyzH0PMnD+qBxhChPGLGWrVRazH5fs5wAeZ70QCSE/XUO1 TCievXrDwSsLUIt/XVwR7cnJOB7gexUBWtqWxIeLMjWYCiukF7BnamUUAhaA8/fU B4/lDuK2yfw7JtkZi3gWA+g+yTFRMN0brk4KIR3qTE+NDFFW4OZhLzQ95gteO0KG oz0IFolkURG/kqAY7m8RaRKXjUVenQ2++aY0+fqAMIj8o2gjtPc6/AQwCuQu8GJ0 CDnabgoVqdbvaj5yduJALtz7+iPiYoKPcXuFyhYKKnk6x5XLdSKM0zZ7bPrMNQ1+ +nbJD5uZhZipLqe9Vg3hvUb6luIaqd/9iYMz3tbqLcR2ye4QHZA6gbgwM/Nm0f2S NYcAFOJjt4n+lhjr7V9IPtpqIhG2w/aqqtje1mNm3Bu0s3SjoMlhAYAwAt1i9f6x jvfHEf3JdNNRrQqacfje =AoLn -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Cyber deterrence in action Dmitri Alperovitch (Apr 14)
- Re: Cyber deterrence in action Andreas Lindh (Apr 14)
- Re: Cyber deterrence in action Dmitri Alperovitch (Apr 14)
- Re: Cyber deterrence in action Daniel Clemens (Apr 14)
- Re: Cyber deterrence in action Dmitri Alperovitch (Apr 14)
- Re: Cyber deterrence in action Dmitri Alperovitch (Apr 14)
- Re: Cyber deterrence in action Andreas Lindh (Apr 14)