Twitter | Search | |
Bad Horse
THREAD: Just saw this posted by gateway pundit. TL;DR version: This analysis is complete bunk.
Reply Retweet Like More
Bad Horse Jul 9
Replying to @BadHorseOC
I've worked on forensics for multiple hacks, some of them carried out by foreign (state) adversaries.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
The rate of the initial copy at the file level is meaningless. Hackers will compromise one or more machines and use them to scan for data.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
It is common for data that they identify to be useful to be staged on one of the compromised machines (copied over LAN) before exfiltration.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
i.e. they'll copy from file servers to a hacked machine, then compress & encrypt it there before sending over the internet.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
The really skilled ones trickle out the data slowly, so they don't want it disappearing from the file server before they're done.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
So yes, the initial copy WILL be much faster since it's local. But any real infosec person or actual hacker knows that tells you NOTHING.
Reply Retweet Like
Bad Horse Jul 9
Replying to @BadHorseOC
It's obvious that this "professional" doesn't really know how data exfiltration works in practice, and this is a desperate deflection. /END
Reply Retweet Like
J Lewis Jul 10
Replying to @BadHorseOC
This key step sounds highly practical--fastest way to move the data from point "A" to point "B".
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
PS: There are a variety of reasons to stage data first. One is to guard against access being cut off before the transfer is complete. 1/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
Esp. important if you're automatically snagging files and want to manually filter before sending. You'd stage, prune, then compress 2/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
for transfer (compression is key to keep vol. lower). Using encrypted archive also helps evade detection by net sniffing DLP tools. 3/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
Many payloads include a rar tool, quite popular as it can encrypt and divide archives into even sized chunks for easier xfer. 4/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
Use of *nix-like command-line tools not surprising; they are easy to manage through a C&C channel sending commands to run silently. 5/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @BadHorseOC
Don't see any evidence Linux was used on the sender side; 'cp' mtime chg is not convincing, commonly used toolkits do this on Win too. 6/6
Reply Retweet Like
Bad Horse Jul 10
Replying to @JLewis75264207
Yeah, that's why I roll eyes @ people talking about DNC not handing their server 2 FBI. Servers usually not hacked, it's the workstations.
Reply Retweet Like
J Lewis Jul 10
Replying to @BadHorseOC
A whip for you: thx for making time to teach the "code-challenged", like me. By far, most substantive thread I'll read today. :)
Reply Retweet Like
J Lewis Jul 10
Replying to @BadHorseOC
Building off your logic: did the FBI forensically examine any of the DNC's work computers?
Reply Retweet Like
Bad Horse Jul 10
Replying to @JLewis75264207
Good question, I don't know. I'd also be interested to know what SIGINT they have. One job I worked, the company in question was given 1/2
Reply Retweet Like
Bad Horse Jul 10
Replying to @JLewis75264207
a printout of exactly what commands the attackers executed. I have no idea how the FBI agents got it, maybe NSA intel on hacker groups. 2/2
Reply Retweet Like