"Does CrowdStrike have evidence that data was exfiltrated from the DNC network?
Yes. Shawn Henry stated in his testimony to the House Intelligence Committee that CrowdStrike had indicators of exfiltration (page 32) and that data had clearly left the network. Also, on page 2, the Intelligence Community Assessment also confirmed that the Russian intelligence agency GRU “had exfiltrated large volumes of data from the DNC.”
Did CrowdStrike see in real-time the adversaries exfiltrate data and emails from the DNC network?
No and that’s typical for incident response cases. In the vast majority of cyber investigations, incident responders don’t witness exfiltration in real-time. In fact, often we are called in after theft has taken place. We collect forensics, evidence of prior activity on the network, map where the adversary has gained access and prepare remediation plans.
In this particular case, CrowdStrike saw circumstantial evidence of data exfiltration from the DNC network. As a reference point circumstantial evidence is the type of evidence such as DNA analysis or fingerprints that are fully admissible in courts.
Shawn Henry stated in his testimony that CrowdStrike had indicators of exfiltration (page 32 of the testimony):
“Counsel just reminded me that, as it relates to the DNC’ we have indicators that data was exfiltrated. We did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.’[//b]
and circumstantial evidence that data was taken as he states on page 75 ”so there is circumstantial evidence that it was taken” and page 76:
“MR. HENRY: So, to go back, because I think it’s important to characterize this. We didn’t have a network sensor in place that saw data leave’ [b]We said that the data Ieft based on the circumstantial evidence. That was a conclusion that we made. when I answered that question, I was trying to be as factually accurate’ I want to provide the facts. so I said that we didn’t have direct evidence’ But we made a conclusion that the data left the network.”
On page 32 of the testimony, Henry also explains that
“We don’t have video of it happening, but there are indicators that it happened” and “we did not have concrete evidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.” As another reference point, the independent report by Special Counsel Robert S. Mueller also cites the theft of documents from the DNC and DCCC on page 40, stating the following:
“Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.”
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/