Discover and read the best of Twitter Threads about #noeasybreach
Most recents (3)
OK so this is my last week at @Mandiant / @FireEye 😢
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.
35/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec We're finally seeing cross-platform script backdoors as a much wider trend. (Payloads in Go, D, etc). We highlighted this in our 2019 predictions:
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…
36/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r The Python-based SEADADDY (SeaDuke) implant became APT29's workhorse for years, but we agree with @FSecure/@lehtior2's awesome 2015 deepdive on "The Dukes" that it emerged in mid-2014. READ: labsblog.f-secure.com/2015/09/17/the…
37/n
37/n
In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.
A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many
However, trying to remove large numbers of implants and missing some, CURLing all of their C2 from your network, uploading several post-exploit backdoor samples to VT, discussing the intrusion in email, etc. - those are things that are more likely to elicit a response.
