fsebugoutzone.org:9999

       Post 1152005 by FlyingLawyer@infosec.exchange
 (DIR) More posts by FlyingLawyer@infosec.exchange
 (DIR) Post #1102341 by FlyingLawyer@infosec.exchange
       2018-11-10T16:04:00Z
       
       0 likes, 2 repeats
       
       I&#39;m doing a lot more #databreach work. One specific issue I&#39;m regularly encountering is whether a particular ransomware agent is likely to have exfiltrated data prior to encryption (or been part of a broader package that would have exfiltrated it using some other program).  If you know of a good resource that would break down known traits like that for popular malware variants in a readable, usable way, I&#39;m all ears. #infosec
       
 (DIR) Post #1102413 by profoundlynerdy@mastodon.technology
       2018-11-10T16:55:30Z
       
       0 likes, 0 repeats
       
       @FlyingLawyer Well, working from first principles and assuming you have decent logs available to you (always a gamble, I know) if your upload metrics spike during the eclipse phase period of the infection (after infection, before &quot;symptoms&quot; the end user(s) can detect) it can be reasonably inferred that the answer is &quot;yes&quot; unfortunately.That&#39;s a starting point, I suppose.
       
 (DIR) Post #1152005 by FlyingLawyer@infosec.exchange
       2018-11-12T17:52:57Z
       
       0 likes, 1 repeats
       
       @profoundlynerdy Thanks for the response (you too @jerry). We typically pass that kind of analytical work along to a #DFIR team, and they figure it out. What I was originally after was something I could use earlier in the response chain to gauge the likelihood that the team would find that kind of thing. I suppose that would mean some kind of database that would show whether particular ransomware agents have been associated with exfiltration in the past (or not). That may not exist. #infosec
       
 (DIR) Post #1152474 by profoundlynerdy@mastodon.technology
       2018-11-12T18:24:53Z
       
       0 likes, 0 repeats
       
       @FlyingLawyer @jerry Gotcha. Sorry, no.To expand a bit, albeit farther down the response chain, the only way you&#39;re *really* going to know is to isolate the malware, dissemble it, and work backwards until you have fully commented assembly language code that compiles and behaves like the original. Yeah, I know that&#39;s a *very* ratified skill set and will likely take many months to complete. If the malware is polymorphic, God help you.It&#39;s the only way to *really* understand what you&#39;re up against.
       
 (DIR) Post #1152494 by profoundlynerdy@mastodon.technology
       2018-11-12T18:26:29Z
       
       0 likes, 0 repeats
       
       @FlyingLawyer @jerry So, I guess I&#39;m saying &quot;decompile&quot; followed by building your own database as you describe.