Anonymous ID: 69b70a Dec. 28, 2019, 4:40 p.m. No.7647777   🗄️.is 🔗kun   >>7785 >>7790 >>7792 >>7793 >>7798 >>7799 >>7814 >>7819 >>7822 >>7828 >>7831 >>7851 >>7852 >>7855 >>7866 >>7878 >>7930 >>7999 >>8016 >>8105 >>8112

>>7643842

The Disk activity/tranfer rate can be easily monitored a multitude of ways - Opensource Munin, Nagios, Zabbix, etc.

 

Most systems on my measly network of 200 nodes have this data logged 365/24/7. I can go back through any point in time there is an anomaly (and I can get notified when a system is doing something outside of breakpoints). A sudden burst of I/O activity could have set a trigger to alert of this I/O activity and the duration.

 

That trigger could notify people that there has been a breach, alert to a system health issue and can notify systems to more verbosely monitor other related systems, shut services down, etc. They can all correlate their activity to a very high degree/point in time.

 

I.E.

  1. Someone swipes a card to get access to an area. Check-In time, identification and video surveillance correlate.

 

  1. I/O on ServerXYZ peaks to 22MB/s for 87 seconds. This triggers some breakpoint for spurious I/O activity. Someone got a notification that this was high, then another notification that this returned to normal.

 

  1. Card Swipe out, Surveillance video correlates.

 

  1. IT/Security Analyst either ignores the notifications, or if it's AWAN - investigates thoroughly to see who did what on those boxes for 87 seconds. Since, possibly he has a great interest in those systems and the stack it is running and no one should be messin' with those boxes.

 

  1. AWAN correlates SR going into the server room, popping a USB stick into the server, running some commands and copying files.

 

  1. Notifies DWS that they have a problem. Asks how should this be handled.

Err: MS13

 

  1. Fortunately, WE Have it All too…

 

I don't think this data would have been logged at the network level via router/switches because that's not the route the data it went. It went straight from the server to a USB 2.0/3.0 interface.

 

"what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second."

Anonymous ID: 69b70a Dec. 28, 2019, 4:47 p.m. No.7647826   🗄️.is 🔗kun   >>7898

>>7647793

Thanks.

 

Just doing my part. I was wondering how they would know 'from metadata' what the data transfer rate was.

 

Then I realized I do this daily… And thought maybe some non-IT-anons needed some explanation how this might work.

Anonymous ID: 69b70a Dec. 28, 2019, 4:50 p.m. No.7647858   🗄️.is 🔗kun

Also - if Crowdstrike is monitoring this system, then they indeed have an 'agent' application running on the server that collects these I/O metrics and sends them back to a central server which takes that data and stores it for analysis.

Anonymous ID: 69b70a Dec. 28, 2019, 5:09 p.m. No.7648061   🗄️.is 🔗kun   >>8138

>>7647839

Oh, hey - install this program we wrote to see who is on your network. Oh - look - it's "Russia".

 

#!/bin/bash

 

echo "Initiating DNC network scan"

sleep 5;

 

if [ true=true ]; then

echo "It's Russia"

else

echo "It's Russia"

fi