Discover and read the best of Twitter Threads about #bec

Most recents (10)

A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
Detection context. Tell me what the alert is meant to detect, when is was pushed to prod/last modified and by whom. Tell me about "gotchas" and point me to examples when this detection found evil. Also, where in the attack lifecycle did we alert? This informs the right pivots.
Investigation/response context. Given a type of activity detected, guide an analyst through response.

If #BEC, what questions do we need to answer, which data sources? If coinminer in AWS, guide analyst through CloudTrail, steps to remediate.

Orchestration makes this easier.
Read 8 tweets
Gathering my thoughts for a panel discussion tomorrow on scaling #SOC operations in a world with increasing data as part of the Sans #BlueTeamSummit.

No idea where the chat will take us, but luck favors the prepared. A 🧵 of random thoughts likely helpful for a few.
Before you scale anything, start with strategy. What does great look like? Are you already there and now you want to scale? Or do you have some work to do?

Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
We started with the customer and worked our way back. What does a 10 ⭐ MDR experience look like?

We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
Read 25 tweets
Quick 🧵of some of the insights and actions we're sharing with our customers based on Q2 '21 incident data.

TL;DR:
- #BEC in O365 is a huge problem. MFA everywhere, disable legacy protocols.
- We’re 👀 more ransomware attacks. Reduce/control the self-install attack surface.
Insight: #BEC attempts in 0365 was the top threat in Q2 accounting for nearly 50% of the incidents we identified

Actions:
- MFA everywhere you can
- Disable legacy protocols
- Implement conditional access policies
- Consider Azure Identity Protection or MCAS
re: Azure Identity Protection & MCAS: They build data models for each user, making it easier to spot atypical auth events. Also, better logging. There's $ to consider here, I get it. Merely providing practitioner's perspective. They're worth a look if you're struggling with BEC.
Read 13 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
Hushpuppi Ramon Abbas was actually working for a guy in Ontario, Canada, Ghaleb Alaumary, aka "Backwood." Alaumary made a plea deal with the Department of Justice in California, which names Hushpuppi and five others (whose names are still secret) to help launder $45 Million!
Ghaleb had a long history with the police in Canada, but despite multiple arrests, his longest sentence was six months "house arrest!" (source: thecanadian.news/2021/02/18/mon… )
Ghaleb had already been charged in Georgia in 2019, for money laundering and theft from Regions Bank and BBVA Compass Bank! These charges were for crimes in 2017 that were mostly involving using stolen bank accounts to buy plane tickets.
Read 4 tweets
Can we detect ZIP / JScript for initial access on 🪟?

1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");

WshShell.Popup("You can configure WSH files to open in Notepad");

WScript.exit;

3. Save as 1.js
4. Double-click
5. Query SIEM / EDR Image
What about #BEC in O365?

1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
What about lateral movement?

1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
Read 6 tweets
(1/18) 📢Need videos for #teaching about #forestry? 📢My @ubcforestry online field course just wrapped up. I spent weeks making 113 videos (10 hours!). Videos are organized by playlists below. About 1/4 are #VR 360-degree videos.

🌲Please use and SHARE! 🌳
(2/18) Master video list. All videos, somewhat ordered.
youtube.com/playlist?list=…
(3/18) Old-Growth Forest. #OldGrowth
youtube.com/playlist?list=…
Read 18 tweets
#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
Read 5 tweets
1/ Had a really fun, free-flowing conversation with @heavilyarmedc on the Bitcoin Echo Chamber pod. #BEC 22 on the paradigm shift we are living through right now.

Some notes below 👇

2/ Shout-out to everyone who is innovating at the edge. @LightningK0ala building cool ⚡️ stuff like satoshis.place & koalastud.io, @cryptograffiti innovating in the art space, ... Can't wait to see what this future paradigm will bring!
3/ As mentioned on the pod, I hope we will move away from an ad-based model and move towards a direct, support-based model. h/t @tippin_me, @tallyco_in, @vandrewattycpa of LibrePatron, and of course @BtcpayServer 🙏
Read 22 tweets
Meet Donna. Donna is a Financial Executive at a made-up company.

Meet Russell. Russell is the CEO of at the same made-up company.

Meet #BEC Scammer, who wants Donna to make a payment to a vendor.

Poor guy. He doesn't know what's about to happen.
Mule account #1. ✅
Donna's a beast. She'll definitely get this done for you, Russell. No need to worry at all.
Read 38 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!