Discover and read the best of Twitter Threads about #bec
Most recents (12)
#Canada ⚠️ I beg YOU🫵 to not only receive this message, but actually f*cking do something about it‼️
If you TRULY care for your loved ones YOU will do something!! Now! Today, not tomorrow! #cndnpoli #ABpoli #bcpoli #skpoli #cpc #lpc #ndp #papc #secu #inan #ONpoli #québec
If you TRULY care for your loved ones YOU will do something!! Now! Today, not tomorrow! #cndnpoli #ABpoli #bcpoli #skpoli #cpc #lpc #ndp #papc #secu #inan #ONpoli #québec
चला! तर मी तुम्हाला आमची आजची एकदिवसीय #मुंबई_ट्रीप थोडस brief मध्ये सांगतो.
आज आमच्या सोबत खूप अश्या गोष्टी घडल्या जे आम्ही कधीच जीवनात विसणार नाही आणि हो खूपच interesting घटना घडल्या.
थोडा #thread मोठा होईल पण खूपच interesting आहे. नक्कीच वाचा आणि enjoy करा.
@ACREX2021
१/n
आज आमच्या सोबत खूप अश्या गोष्टी घडल्या जे आम्ही कधीच जीवनात विसणार नाही आणि हो खूपच interesting घटना घडल्या.
थोडा #thread मोठा होईल पण खूपच interesting आहे. नक्कीच वाचा आणि enjoy करा.
@ACREX2021
१/n
आज सकाळी मी ५ वाजता उठून मस्त फ्रेश झालो आणि ६:१९ am ला #नाशिकरोड रेल्वे स्टेशनला निघालो. स्टेशनला #motorcycle park करून platform वर गेलो. सगळे मित्र मंडळी एकत्र झालो (अथर्व, मानस, गार्गी आणि आमचा पायलट). सर पण आले. मग ७:०५ am ला #पंचवटी एक्स्प्रेस मध्ये D4 डब्यात बसलो.
२/१९
२/१९
Reservation केल्यामुळे सगळे स्वत:च्या हक्काच्या seat वरती बसलो. मग #इगतपुरी येथे वडापाव, मेंदुवडा खाल्ले आणि नंतर मस्त मौज मस्ती करत करत #दादर स्टेशनला १०:३३am ला पोहचलो. त्यानंतर #Western_Lines च्या #local मध्ये बसून #राम_मंदिर स्टेशनला उतरलो.
३/१९ twitter.com/i/web/status/1…
३/१९ twitter.com/i/web/status/1…
A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
Detection context. Tell me what the alert is meant to detect, when is was pushed to prod/last modified and by whom. Tell me about "gotchas" and point me to examples when this detection found evil. Also, where in the attack lifecycle did we alert? This informs the right pivots.
Investigation/response context. Given a type of activity detected, guide an analyst through response.
If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.
Orchestration makes this easier.
If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.
Orchestration makes this easier.
Gathering my thoughts for a panel discussion tomorrow on scaling #SOC operations in a world with increasing data as part of the Sans #BlueTeamSummit.
No idea where the chat will take us, but luck favors the prepared. A 🧵 of random thoughts likely helpful for a few.
No idea where the chat will take us, but luck favors the prepared. A 🧵 of random thoughts likely helpful for a few.
Before you scale anything, start with strategy. What does great look like? Are you already there and now you want to scale? Or do you have some work to do?
Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
We started with the customer and worked our way back. What does a 10 ⭐ MDR experience look like?
We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
Quick 🧵of some of the insights and actions we're sharing with our customers based on Q2 '21 incident data.
TL;DR:
- #BEC in O365 is a huge problem. MFA everywhere, disable legacy protocols.
- We’re 👀 more ransomware attacks. Reduce/control the self-install attack surface.
TL;DR:
- #BEC in O365 is a huge problem. MFA everywhere, disable legacy protocols.
- We’re 👀 more ransomware attacks. Reduce/control the self-install attack surface.
Insight: #BEC attempts in 0365 was the top threat in Q2 accounting for nearly 50% of the incidents we identified
Actions:
- MFA everywhere you can
- Disable legacy protocols
- Implement conditional access policies
- Consider Azure Identity Protection or MCAS
Actions:
- MFA everywhere you can
- Disable legacy protocols
- Implement conditional access policies
- Consider Azure Identity Protection or MCAS
re: Azure Identity Protection & MCAS: They build data models for each user, making it easier to spot atypical auth events. Also, better logging. There's $ to consider here, I get it. Merely providing practitioner's perspective. They're worth a look if you're struggling with BEC.
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Hushpuppi Ramon Abbas was actually working for a guy in Ontario, Canada, Ghaleb Alaumary, aka "Backwood." Alaumary made a plea deal with the Department of Justice in California, which names Hushpuppi and five others (whose names are still secret) to help launder $45 Million!
Ghaleb had a long history with the police in Canada, but despite multiple arrests, his longest sentence was six months "house arrest!" (source: thecanadian.news/2021/02/18/mon… )
Ghaleb had already been charged in Georgia in 2019, for money laundering and theft from Regions Bank and BBVA Compass Bank! These charges were for crimes in 2017 that were mostly involving using stolen bank accounts to buy plane tickets.
Can we detect ZIP / JScript for initial access on 🪟?
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
What about #BEC in O365?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
What about lateral movement?
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
(1/18) 📢Need videos for #teaching about #forestry? 📢My @ubcforestry online field course just wrapped up. I spent weeks making 113 videos (10 hours!). Videos are organized by playlists below. About 1/4 are #VR 360-degree videos.
🌲Please use and SHARE! 🌳
🌲Please use and SHARE! 🌳
(2/18) Master video list. All videos, somewhat ordered.
youtube.com/playlist?list=…
youtube.com/playlist?list=…
#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
1/ Had a really fun, free-flowing conversation with @heavilyarmedc on the Bitcoin Echo Chamber pod. #BEC 22 on the paradigm shift we are living through right now.
Some notes below 👇
Some notes below 👇
2/ Shout-out to everyone who is innovating at the edge. @LightningK0ala building cool ⚡️ stuff like satoshis.place & koalastud.io, @cryptograffiti innovating in the art space, ... Can't wait to see what this future paradigm will bring!
3/ As mentioned on the pod, I hope we will move away from an ad-based model and move towards a direct, support-based model. h/t @tippin_me, @tallyco_in, @vandrewattycpa of LibrePatron, and of course @BtcpayServer 🙏
Meet Donna. Donna is a Financial Executive at a made-up company.
Meet Russell. Russell is the CEO of at the same made-up company.
Meet #BEC Scammer, who wants Donna to make a payment to a vendor.
Poor guy. He doesn't know what's about to happen.
Meet Russell. Russell is the CEO of at the same made-up company.
Meet #BEC Scammer, who wants Donna to make a payment to a vendor.
Poor guy. He doesn't know what's about to happen.
Mule account #1. ✅
Donna's a beast. She'll definitely get this done for you, Russell. No need to worry at all.
