Monday, December 12, 2016

Sources and Methods


I didn't want to lose this train of thought - but my initial reaction to people in policy places is that they always undervalue the "single server" because from an operator's perspective, there is no such thing. That server is a foothold on a network - probably in a unique position, and the toolchain on that server and that GOT you onto that server puts every mission you have at risk, typically. 

So from that perspective, it's likely that even if it is one server, that a real offensive organization has human lives at risk if that server is deliberately outed. You have to do a massive cleanup job first, equivalent to an enterprise-level forensics job, to cover your tracks. Sometimes that's impossible because you've lost access to part of your toolchain...

No comments:

Post a Comment