Anything is possible, of course, but we record and transmit to the cloud pretty much all execution activities - process creation, thread creation, dll/kernel driver loads, etc (about 150+ different event types) and we've gone through all the events with a fine-tooth comb. The evidence is pretty clear - they ran the commands to check for us and then all processes/network connections were terminated - they simply GTFO!
Dmitri On 4/14/15, 9:31 AM, "Andreas Lindh" <[email protected]> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >How do you know that they've ceased their activity, couldn't it just >as well be that they've found the Falcon's blind spot? ;-) > >Jokes aside, I agree totally with the message that raising the cost of >attack is the way forward for defense, but doesn't this particular >case effectively boil down to the same ol' "how do you know what you >don't know?" argument? > >Anyway, for the sake of your clients (and everyone) I hope you're >right. :) > >Andreas > >On 2015-04-14 06:10, Dmitri Alperovitch wrote: >> I wanted to share with this group a blog I published earlier today >> on how we were able to successfully get a Chinese >> government-affiliated group (at CrowdStrike we call them Hurricane >> Panda) to cease their multi-year campaigns against two of our >> customers who are using our Falcon endpoint technology. This is the >> first time we've ever seen a persistent nation state actor cease a >> long term high priority campaign and perhaps is a great sign for >> the future of defense. >> >> Hopefully this is of interest and will spur good discussion about >> new defense models that focus on significantly raising cost and >> effort to the adversary to impact their cost/benefit analysis. >> >> http://blog.crowdstrike.com/cyber-deterrence-in-action-a-story-of-one- >long-hurricane-panda-campaign/ >> >> Best, >> >> Dmitri >> >> >> >> _______________________________________________ Dailydave mailing >> list [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> >-----BEGIN PGP SIGNATURE----- >Version: GnuPG/MacGPG2 v2.0.22 (Darwin) >Comment: GPGTools - http://gpgtools.org > >iQIcBAEBCgAGBQJVLRaYAAoJEI415gQuBbe0xYEP/1B5plpWZVU87W3EgQ6JldgC >F+urPzrymVxC/TQimDNvRi9AxfpUPyY99t5Pkn0ugbV7L+QNNPAPIVLW/dcl2nAQ >fZ8wOj7UvCCq0OagF9gvGUTRG8THrZX9MQHrUUqFQif3eTwENT4g53Ty0IJtUDCb >uHakpOj5aClvKKc1ngK7TLUm8oApexTOs7FSGryVsOXipSUgI2VNXcXQRMm/spSg >USUQMSRi+qjAzjbUGHmyzH0PMnD+qBxhChPGLGWrVRazH5fs5wAeZ70QCSE/XUO1 >TCievXrDwSsLUIt/XVwR7cnJOB7gexUBWtqWxIeLMjWYCiukF7BnamUUAhaA8/fU >B4/lDuK2yfw7JtkZi3gWA+g+yTFRMN0brk4KIR3qTE+NDFFW4OZhLzQ95gteO0KG >oz0IFolkURG/kqAY7m8RaRKXjUVenQ2++aY0+fqAMIj8o2gjtPc6/AQwCuQu8GJ0 >CDnabgoVqdbvaj5yduJALtz7+iPiYoKPcXuFyhYKKnk6x5XLdSKM0zZ7bPrMNQ1+ >+nbJD5uZhZipLqe9Vg3hvUb6luIaqd/9iYMz3tbqLcR2ye4QHZA6gbgwM/Nm0f2S >NYcAFOJjt4n+lhjr7V9IPtpqIhG2w/aqqtje1mNm3Bu0s3SjoMlhAYAwAt1i9f6x >jvfHEf3JdNNRrQqacfje >=AoLn >-----END PGP SIGNATURE----- >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
