Profile picture
Christopher Glyer @cglyer
, 18 tweets, 5 min read Read on Twitter
I've been thinking about the recent conspiracy theory of "where is the physical DNC server".



Here is a thread on the "missing" DNC server and my experience/advice from conducting similar investigations.
First, some background for my comments. Over the last decade, I've personally led investigations at over 100 organizations & taught dozens of classes for both federal law enforcement and the private sector on incident response and digital forensics.
I've never once physically acquired a server or asked someone to physically acquire a server. Literally the first thing you learn in digital forensics is how to take a forensic image (or in laymen's terms a complete copy of a computer).
In the physical world we cordon off the crime scene and take pictures/video & other forensic evidence (e.g. fingerprints...etc.) of the crime scene. Expecting a cyber investigation to "physically" take a server is akin to physically moving the room out of the building.
Victim's 1st responsibility is to protect their: org, systems & data. Investigation always 2nd priority. Goals of investigation (in order)
1) Evict attacker asap (this may take days->weeks depending on sophistication of attacker & how established their presence is in the network)
2) While preping to evict attacker, monitor their activity(to ensure your remediation is successful &/or remediate early if attacker taking actions/data deemed too risky/valuable)
3) Scope historical activity (e.g. find backdoors & attacker activity, identify their motives/goals)
When dozens/hundreds of systems involved and attacker who is very active, it's also often impractical and/or unnecessary (if you have the right tools) to take a forensic image of every system.

Example: attacker accesses 300 systems and runs a password dumper on each one
@Mandiant we deploy @FireEye endpoint software to every system to scale investigation across the enterprise. We pull forensic data at scale to conduct historical investigation & monitor the attacker's activity in realtime. Only take images of systems of significant importance.
Majority of recent Presidential campaigns on both sides have been successfully compromised by nation states. In the past, the motive was to get an insight into politician's views on policies/positions important to the attacker's government. (next tweet has links to articles)
thehill.com/policy/technol…
chicagotribune.com/news/nationwor…
2016 was the first time the data stolen was weaponized against one of the parties.
Think of presidential campaigns like hypergrowth startups (w/ relatively short end date). Most/all infrastructure is temporary & cloud based tech (office365/gsuite, AWS/Azure) instead of physical data centers.
Therefore, most systems aren't "physical" - it's virtual/cloud-based.
Trick question:
If all your servers are virtualized or cloud-based...then how do you take a "physical" server?

Exactly - you don't
Hypergrowth startups are so focused on growth that anything (including security measures) that detracts from executing on their goal/mission is usually ignored. Check out this thread by @dotMudge
In my experience, there are 3 types of cases. Investigations that are:
1) Never made public, or have little public/political interest
2) Involve private orgs that have major public/political interest (e.g. Equifax, Anthem...etc.)
3) Involve government and/or political orgs
For #DFIR professionals w/investigations at orgs like #2 or #3:
-Assume anything you say or put in writing w/ government/political org will get leaked for political purposes. I learned this the hard way coming from a heavy background in corporate cases where leaks rarely occur
-Every action you take will be put under intense scrutiny after the fact by non-technical "arm chair quarterbacks". It's helpful for you to document (at a minimum in your own notes) what you knew & when you knew it (as it's occurring) - so you can refer to this later
-The public & politicians expect that cyber investigations & remediation happen in hours/days when they take days/weeks or sometimes months. You can't change this expectation. (side note: this will only get worse with 72 hour notification requirement with GDPR)
-You're better off taking remediation sooner than you feel ready - at the risk/tradeoff that you will not successfully evict the attacker. This makes the ability to identify attacker activity in real-time becomes critical so you can respond if/when attacker becomes active again.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!