Discover and read the best of Twitter Threads about #stateofthehack

Most recents (12)

OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Read 20 tweets
🔥 "Hacking Tracking Pix & Macro Stomping Tricks"
📺 pscp.tv/FireEye/1djGXQ…

On this 🆕 #StateOfTheHack, @cglyer👨🏼‍🦲 & I break down trendy tradecraft.

Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻‍🦱 CVE exploitation in the trenches (@_bromiley)

👇🏼Episode Recap Thread! 🧵
We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
On the show, we chatted through what we've seen as defenders but also some cool victim behavior profiling methods from our offensive security friends, like those shared by @malcomvetter 🎇:

Ok, so why learn specific Office version used? ...
Read 11 tweets
In response to increased U.S.-Iran tensions & concerns of retaliatory cyber attacks, Iranian intrusion experts @sj94356 & @QW5kcmV3 are on #StateOfTheHack for the latest on all things Iran: #APT33 #APT34 #APT35 #APT39 #MuddyWater & active UNC groups 🇮🇷👨‍💻🕵️‍♂️
@sj94356 @QW5kcmV3 Wait, did @YouTube remove the #StateOfTheHack episode? 👉feye.io/soth 👀
Are we being oppressed? Do they think this is a U.S.-Iran influence operation? ... is it? 🇺🇸🇮🇷Am I going to get a bunch of weird #MAGA replies to this tweet? I have so many questions 😅🙃 ImageImage
For more information on mitigations as well as our public source material supporting the discussion from the show, please check out:
• APT33 graduation: fireeye.com/blog/threat-re…
brighttalk.com/webcast/10703/…
• APT33 webinar & examples: fireeye.com/blog/threat-re…
... (more below)
Read 9 tweets
Just in time for the holidays: #StateoftheHack swag 🖱️👕

You'll never look better enabling those macros. #DailyWoolDrop 😉
customink.com/fundraising/st…
Most recent order: 3 shirts 👕
with the anonymous message: “Just in time to gift one to Hass, Jimbo, and Oleg, your comrade Andy.” 😂
#FIN7 / Combi Security shirt order extended until tomorrow, #CyberMonday2019: customink.com/fundraising/st… Final cutoff.
All of our new Combi Security “employees” should be receiving their on-boarding packages soon!
There is simply no better shirt to wear to your local payment card-processing establishment! #FIN7 🍟🏨🎰🏪🏦 Image
Read 5 tweets
By viewership, these are some of the most popular #StateOfTheHack episodes. I'm curious if you have a favorite show – either from this list or the many others – and WHY.
@cglyer & I change up the format, guests, and depth of technical detail often. Do people just like a blend?
I love the conversations we get to have with people I respect & idolize myself – when we head out to RSAC, Black Hat USA, and DerbyCon. Often the best (more relaxed) conversations happen off camera as we get to know each other better. I'll keep trying to be a better co-host!
Also, does anyone read the show notes for the YouTube upload (feye.io/soth) & the podcast (feye.io/soh)?
I take pride in episode naming but we take suggestions too (pictured episode named by @ramen0x3f).
Show notes are filled with carefully crafted bad puns Image
Read 3 tweets
🎟️🍿Movie Night: "Between Two Steves"
🆕#StateOfTheHack

@cglyer & I chat with the top two Steves from #AdvancedPractices 🦅: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
@cglyer @stonepwn3000 @stvemillertime 🗣️
• tracking the groups and techniques that matter
• recent #FIN7 events: fireeye.com/blog/threat-re…
• recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
🍎 𝗟𝗶𝘃𝗶𝗻𝗴 𝗼𝗳𝗳 𝘁𝗵𝗲 𝗢𝗿𝗰𝗵𝗮𝗿𝗱 🍎
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-re…
We kinda want to do a full #StateOfTheHack on that one...
Read 5 tweets
I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime
First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit
Read 91 tweets
Conventional computer science:
> You set the input & the program.
> You get the output.

#MachineLearning:
> You set the input & the output.
> You get the program. 🤯

🗣️@secbern's helpful break down of ML foundations with me & @cglyer on #StateOfTheHack: pscp.tv/FireEye/1OwGWd…
@secbern @cglyer .@secbern shared one of his favorite quotes:
"A problem well-stated is a problem half-solved."
(from famed engineer & head of GM innovation)

Good advice for those who are *building* security ML tech ...but also for those considering it.

Episode also has ML purchasing questions! Image
Read 3 tweets
.#####. #StateOfTheHack stream 📺
.## ^ ##. from the last @DerbyCon 🥃
## / \ ## /* * *
## \ / ## featuring @gentilkiwi 🥝
'## v ##' and @Carlos_Perez 💪
'#####' 1 of 3 episodes w/ @cglyer * * */
pscp.tv/FireEye/1djxXR…
📺 DerbyCon #StateOfTheHack continues...
We're joined by Microsoft security's @n0x08 who shares the global scale issues that he & his awesome @msftsecresponse teammates tackle (spoiler: we're all doomed 💥).
Also stop dropping POCs/exploits on Fridays 🛑🙏
pscp.tv/w/cFFLWzFlVmpZ…
Last #StateOfTheHack stream
📺 @HackingDave on the @DerbyCon conference & community, discussion of changing adversary TTPs, and how @TrustedSec's red team has adapted to improved defenses by using security tools to baseline & imitate legitimate activity 🔥 pscp.tv/w/cFdbYzFlVmpZ…
Read 3 tweets
Please enable Network Level Authentication (NLA) for a layer of pre-auth before a connection is established.
This not only reduces the terrifying #DejaBlue & #BlueKeep RDP attack surface, it's also a top ransomware protection recommendation from @Mandiant: fireeye.com/blog/threat-re… Image
MSRC's @n0x08 notes in his regular checks that "RDP exposure is nearly 3x that of SMB & ~100% are running Windows." Keep an eye on his tweets and recommendations straight from the @msftsecresponse team.
Mandiant's protection & containment strategies (direct link: fireeye.com/content/dam/fi…) gives insight into methods observed and defenses that have worked against interactive, post-compromise deployment of ransomware.
@cglyer & I have covered this extortion trend on #StateOfTheHack Image
Read 4 tweets
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!