Freely subscribe to our NEWSLETTER

The evidence left behind after a hack is the primary material used in an investigation and includes things like log data from firewalls, servers, IDS/IPS systems, endpoint EDR/AV, full packet capture archives, and anything else that provides insight into the network and server/host level activities of the hacker. In some of the most widely publicized breaches, including the recent breach of the Democratic National Committee’s (DNC) mail servers, this process analyzes the malware used during the attack.

Information made public by CrowdStrike as a result of their Incident Response work with the DNC concluded that two different Russian intelligence groups were responsible for the attack. Their findings leverage research on two Advanced Persistent Threats (APTs) found within the DNC network: APT28 aka “Fancy Bear” and APT29 aka “Cozy Bear”.

Mark McArdle, CTO at cyber security firm eSentire says:
"While CrowdStrike’s reported evidence and observations seem like a reasonable conclusion to reach, we cannot dismiss the fact that none of this evidence is 100% reliable. If we think about the very high level of design, engineering, and testing required for such a sophisticated attack, is it reasonable to assume that the attacker would leave behind these breadcrumbs? Yes, it’s possible, but it’s also possible that these things can be used to misdirect attention to a different party. Is this evidence the result of sloppiness, or careful misdirection?

Attribution of attacks is very difficult. Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgement. It’s never been more important to have visibility into the unusual activities going on in a company’s network and have the ability to investigate and respond. This is what research firm Gartner calls “Managed Detection and Response (MDR)” – an effective way of keeping small breaches from turning into headline-making hacks."