Discover and read the best of Twitter Threads about #StateOfTheHack

Most recents (7)

After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Read 20 tweets
🔥 "Hacking Tracking Pix & Macro Stomping Tricks"
📺 pscp.tv/FireEye/1djGXQ…

On this 🆕 #StateOfTheHack, @cglyer👨🏼‍🦲 & I break down trendy tradecraft.

Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻‍🦱 CVE exploitation in the trenches (@_bromiley)

👇🏼Episode Recap Thread! 🧵
We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
On the show, we chatted through what we've seen as defenders but also some cool victim behavior profiling methods from our offensive security friends, like those shared by @malcomvetter 🎇:

Ok, so why learn specific Office version used? ...
Read 11 tweets
I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime
First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit
Read 91 tweets
#StateOfTheHack: #APT41 - Double Dragon: The Spy Who Fragged Me pscp.tv/w/cCRRwTFWR1F2…
Get your copy of our #APT41 here. feye.io/apt41report
Don't worry podcast fans! This episode is available on #iTunes, #Spotify, and #GooglePlay. Follow the thread for direct links.
Read 7 tweets
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
Read 9 tweets
Domain fronting and forging hostnames in headers are different things with vastly different implications. It's important to study these techniques, and review the publicly available malleable C2 profiles. They're open source, and provide views into the bowels of CobaltStrike 🚮.
I normally associate actual domain fronting with offensive security professionals. Some do it with BEACON, but I do see the occasional EMPIRE payload using it. However, @FireEye did do this blog on #APT29, who was domain fronting before it was cool. fireeye.com/blog/threat-re…
The blog talks about #APT29 and cites the following white paper, for those of you that like citations and well documented work--all 19 pages of it. Some light reading for you this evening/morning/afternoon: icir.org/vern/papers/me…
Read 4 tweets
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.:
My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.
This is the domain I dropped in our #StateOfTheHack discussion today. The screenshot indicates we illuminated it on day zero of the adversary establishing it. The WHOIS information is privacy protected. However, we didn't discover the domain through registrant information.
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!