undefined | Better HN

0 pointsrightbyte2y ago0 comments

> Attributions are about more than the code flow. You also need infrastructure to funnel exfiltrated data back to yourself.

How is that even possible and how does it help? A computer is like a state machine where a minuscule amount of states are logged. When the state is gone the trace is gone. And you don't control the other involved computers anyway. And what good does accessing "exfiltrated data" do?

0 comments

ipython2y ago

Take this wildly simplified example. You are the attacker. You already have access to internal systems at Microsoft.

Now you need to send the large amounts of data back to yourself, preferably without giving away your own location in the process. That’s the exfiltration phase of the cyber kill chain.

In order to do that, you’ve already established a set of listening posts and command/control sites across the internet. That’s your infrastructure. Setting that up in a pseudo anonymous way is hard, so you don’t do it often and may need to reuse it for multiple targets.

It’s that infrastructure that is hard to replicate if you’re trying to “look like” another threat actor on the Internet.

rightbyteOP2y ago

What happens after the first node is hit? You more or less need to control the network stack around it to know were it in turn sends data. If the NSA or whatever do control virtually every network stack they can access politically, every lead will end in countries which does not comply, right?

If there is any world-wide N-to-N statistical analysis of eavesdropped nodes for reentry of the data, it should trivially be able to be defeated by buffering in the nodes.

I don't get how these things can be tracked at all, unless the hackers are quite incompetent.

ipython2y ago

You’re overstating the technical capabilities at scale and understating just basic investigation techniques.

“Buffering” absolutely happens for a variety of reasons.

Tracking down the money or owning the operations infrastructure of the hosting companies along the way can help. Try to expand past bits on the wire- people set this stuff up at the end of the day.

1 more reply

j / k navigate · click thread line to collapse

0 comments

ipython2y ago

Take this wildly simplified example. You are the attacker. You already have access to internal systems at Microsoft.

Now you need to send the large amounts of data back to yourself, preferably without giving away your own location in the process. That’s the exfiltration phase of the cyber kill chain.

It’s that infrastructure that is hard to replicate if you’re trying to “look like” another threat actor on the Internet.

rightbyteOP2y ago

If there is any world-wide N-to-N statistical analysis of eavesdropped nodes for reentry of the data, it should trivially be able to be defeated by buffering in the nodes.

I don't get how these things can be tracked at all, unless the hackers are quite incompetent.

ipython2y ago

You’re overstating the technical capabilities at scale and understating just basic investigation techniques.

“Buffering” absolutely happens for a variety of reasons.

Tracking down the money or owning the operations infrastructure of the hosting companies along the way can help. Try to expand past bits on the wire- people set this stuff up at the end of the day.

1 more reply

j / k navigate · click thread line to collapse