Hi Daniel, These are very good questions and while I can't get into specifics of the customers' environments and what the attackers were after, I will just gain reinforce that we have a high degree of confidence that the visibility we have gives us very high confidence that they were kicked out and went away (but again nothing is a 100% in life)
Dmitri On 4/14/15, 1:08 PM, "Daniel Clemens" <[email protected]> wrote: > >On Apr 14, 2015, at 8:36 AM, Dmitri Alperovitch <[email protected]> wrote: > >> Anything is possible, of course, but we record and transmit to the cloud >> pretty much all execution activities - process creation, thread creation, >> dll/kernel driver loads, etc (about 150+ different event types) and we've >> gone through all the events with a fine-tooth comb. The evidence is pretty >> clear - they ran the commands to check for us and then all processes/network >> connections were terminated - they simply GTFO! > >Re: >Unless of course they backdoored a router or switch or anything else? >We call the team that does this BadAssAlbinoRhinos. >Did you have complete network traffic visibility to confirm other movement had >stopped? > >Daniel Clemens > >O +1 202 747 0043 Ext 7001 >F +1 205 449 4731 >Silent Circle: danielclemens > >Packet Ninjas >http://www.packetninjas.net > > > > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
