Comment by h2odragon
5 years ago
I'm paranoid, and I'd have considered the efforts described here to be pretty secure. I'll say the only counter to this grade of threat is constant monitoring, by a varied crew of attentive, inventive, and interested people. Even then, there's probably going to be a lot of luck needed.
Traffic analysis and monitoring will detect detect signs of intrusion almost in real time but also exfiltration. The network never lies.
The kind of eyes that can spot the hinky pattern while watching that monitor are the vital ingredient, and thats not something i can quantify. Or even articulate well.
> The network never lies.
Steganography begs to differ.
How much free entropy do you have on your network traffic?
EDIT: Corrected. Thanks cuu508.
*steganography
One sensible mitigation to this grade of threat; avoid running Windows, even as a VM host as the dev did. It's a dumpster fire.
I think you may have misinterpreted that part of the post - my understanding is that the Linux laptop that was being used was compromised, and there was a 3 month gap when that developer switched to a Windows machine before that became compromised too. Specifically it would be fascinating to learn whether the Windows host was compromised or if it was only the Linux VM.
> ...It looks as if it took the attackers three months to gain access back into the box and into the VM build...
How the attackers were able to gain access again after the developer used a VM in Windows? My guesses:
- The developer machine was compromised in a deeper level (rootkit?)
- The developer installs a particular application in each Linux box
- There is a bug in an upstream distro
3 replies →