Discover and read the best of Twitter Threads about #threatintel

Most recents (21)

Poll time, because I'm curious as to your position. Is a non-disclosure agreement a security measure/control? You can elaborate in the comments, and please retweet for greater visibility. #dfir #infosec #threatintel #security
Almost even on answers so far. Let's get more.
These numbers are so close, so this is clearly not a clean cut issue here. Bumping for more participation.
Read 3 tweets
This activity is attributed to #APT35 🇮🇷. The backdoor used is a variant of what @FireEye calls MANGOPUNCH, which has been observed in intrusions in the past. Attribution matters. It is important to articulate their activities are attributable. #AdversaryPursuit #threatintel
@FireEye #ManagedDefense with initial discovery of MANGOPUNCH in use by #APT35 🇮🇷back in 2017 at a client that transitioned from Incident Response to our 24x7 Managed Detection and Response offering. We will continue to relentlessly pursue adversaries.…
@FireEye I haven't forgotten about Monica Witt. You have to love the @USMC masquerades. You have to love the Belleau Wood misspelling. Intentional jarhead looking move--or phonetic spelling from an advisor who wasn't in the gun club. I don't know, but interesting.…
Read 3 tweets
Technical intelligence in support of Security Operations and Incident Response ain't easy. #threatintel
My roots are in tactical collection in support of warfighters. At that level, the intelligence cycle is abbreviated at best, and nonexistent as a norm. Information I would collect could be actioned immediately. You quickly learn whether the information was good or not.
I wouldn't trivialize that work for anything in the private sector, but I will say in support of Security Operations and Incident Response, there's an immediate feedback on the information provided. If I'm being honest, the "dry holes" are more frequent than the "jackpots."
Read 6 tweets
I'm familiar with having to explain why a state nexus threat actor would target organizations for their intellectual property. A fairly new dynamic is explaining why for-profit threat actors would target organizations I usually see state nexus actors going against. #threatintel
An example was when FIN6 was hot against a protected organization discussed in the linked blog. Traditional understandings of FIN6 revolved around point-of-sale targeting. However, we have to remember core motivation is monetization of intrusions.…
After those series of intrusions were thwarted, we began to receive calls for ransomware deployments elsewhere. We also saw the stories in the media about more publicized successful ransomware deployments against high profile targets with devastating consequences.
Read 9 tweets
These are points describing national interests in the U.S. Joint Doctrine Note on Strategy. People often talk about "national interests" but rarely are they actually enumerated and described. I think this is helpful when determining what a state's response might be. #threatintel
Read 6 tweets
"Effective intelligence operations employ all information sources, whether organic or external. The value of a source is not necessarily related to the sophistication or cost of that source."… #threatintel
"Effective collection depends upon the use of a variety of mutually reinforcing sources. Necessary, planned redundancy and overlap of sources increase the reliability of information and can reduce the effectiveness of enemy deception or denial efforts." #threatintel
Don't let the military application impede the value you can derive from this stuff. Many organizations still have not bridged the gap between their operations and intelligence elements. Your security analysts are a source, and you should exploit their information.
Read 5 tweets
Our #ManagedDefense took some time to discuss #APT34 🇮🇷 using social media to engage a target and deliver a link to download a malicious document that dropped a new implant #TONEDEAF. This obviously would circumvent email detection, but not #ExploitGuard.…
I know @RHamptonCISSP will appreciate the evidence we're publishing. Security leaders need to be aware of the threats posed by actors operating in other venues, not just through email. Email is still a frequent vector, but for well defended environments, other avenues are chosen.
Read 6 tweets
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github:…
and this indeed contains this initial hexcalc.exe

They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
Read 9 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread 👇, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x)
The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)
First, I didn't fully understand what I was looking at: what normal customer-to-org interactions look like (authentication). This led to FAULTY ASSUMPTIONS about the nature of the activity I was examining. Boy did it look phishy! There was no way it was legitimate! (3/x)
Read 14 tweets
100% this. @secbern has put a lot of thought and time into this, and even still, as the blog mentions, it is another aid for the human analyst. My team still has to deep dive. This is not a press button receive bacon situation. However, we track somewhere around 1400 clusters.
The number of UNCs (clusters) between two related clusters are often such that the human may have forgot about the existence of the UNC. This was the case with the APT33 deep dive we did. If it wasn't for this system, it may have taken longer to even compare the clusters.
An effective threat intelligence program combines experts, tools, and data. The experts know the tradecraft, the tools help them scale, and the data gives them something to analyze. Many organizations have only two of these things. That is the primary difference. #threatintel
Read 3 tweets
Although #FIN10 achieved some success targeting the 🇨🇦 casino and mining industry, @FireEye hasn't discussed the actor much since the June, 2017 blog article…, because, well… the techniques are a bit abecedarian. (h/t
FIN10 has gone from targeting those industries, stealing PII and extorting victims for BTC, to posting particularly lame, decimal encoded phishing lures to Canadian stock market forums, directing victims to EMPIRE downloads. Decimal encoded URLs are a consistent FIN10 TTP.
To lend some legitimacy to the phishing lures, FIN10 registers masquerade domains and establishes websites using scrapped source code from legitimate domains. #trashtics
Read 9 tweets
I've been tagged in quite a few #FF today, and as it's the last Follow Friday of the year, I wanted to take a sec to chat about social media as it relates to #infosec and #threatintel.

Kind of like a year in review.
Social media has been a hot topic this year. It's literally made it into the halls of Congress. But I'm not going to talk about how Jack and Zuckerberg are selling our souls away at our own consent, or about how they're knowingly assisting in foreign information operations.
Let's chat about potential.

Social media has a massive potential for change. You don't have to look much further than the Arab Spring to know that. For our industry, it has a massive potential for great, or awful, change.
Read 14 tweets
I’m a proponent of writing things down. As #threatintel analysts, a big part of our job is recognizing patterns and making connections. But sometimes, we don’t see the connections. Our brains can’t recall as much information as we think they can (1/x).
This is why it’s imperative to document and memorialize your knowledge. Use your IOC database, your commercial TIP, OneNote, Excel, Wiki, IR ticketing system, whatever you have to capture artifacts, IOC, notes (2/x).
Tag your data (hopefully you have a consistent tagging scheme); organize it; capture enrichment data and attributes that may allow for future correlation. Does this take extra time? Is it annoying sometimes in the face of an active campaign or IR operations? You bet (3/x).
Read 9 tweets
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️…
🖼️ #2: Suspected #APT29 ⏲️…
Read 3 tweets
One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors.
PDB Path Pivoting Primer

This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.

3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
What are PDBs?

Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
Read 15 tweets
One analytical struggle in my life is whether a group executed poorly conceived tradecraft, or well executed deception. Deception is rarely discussed on the "threat intelligence" side of information security. Maybe folks are unfamiliar, or intimidated, I don't know. #threatintel
We're naive to think we cannot be deceived. Governments with seemingly infinite resources and elaborate espionage capabilities get deceived. It's a thing. I'll go further, there's plenty of regular intelligence analysts who rarely discuss deception. It probably scares them.
An entire field is dedicated to carefully misleading intelligence apparatuses. That means understanding your processes, requirements, and capabilities in order to craft essentially an illusion for you to consume. You may execute sound analysis and still be dead wrong.
Read 5 tweets
Obviously this immediately got added to my reading list #infosec #threatintel
Well, off to the races. I'm starting to read through The Perfect Weapon. I'll share my train of thought as it comes up. Sadly, because I'm doing it as an audiobook the snippets I want to quote may not be available online
Includes a reference to the Atlanta ransomware attack among state-linked attacks. I've never seen it framed as state-sponsored, but it provides a good case study for what such an attack on state or municipal governments might look like
Read 32 tweets
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.:
My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.
This is the domain I dropped in our #StateOfTheHack discussion today. The screenshot indicates we illuminated it on day zero of the adversary establishing it. The WHOIS information is privacy protected. However, we didn't discover the domain through registrant information.
Read 5 tweets
#threatintel thread! For the past couple of weeks I've focused on #threatintel REQUIREMENTS. As a consultant working with clients to develop their programs, I focused on this a lot--requirements are important. As a full-time analyst, it's much harder: because OPS!
But, really honing-in on the requirements--the specific questions that customers have, the topics they are interested in, how they can best consume information--has been a valuable investment. Here's what I've learned or re-discovered...
For each requirement (or set of requirements), there is information you need to answer the question and a process to follow to fulfill the requirement. Sometimes you'll have the information you need; sometimes you won't which means that you have to go get it (collection).
Read 16 tweets
Fresh APT loader technique for today's #DailyScriptlet:

cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)

This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
@bwithnell and I shared an earlier version of this #APT32 phish technique:
Relevant slide screenshots attached.

They are continually improving each phase of their dynamic, multi-stage infection chain.
@bwithnell SPOILER: the VBScript *still* doesn't properly convert temperatures as promised, but it *will* load good tidings of great Cobalt Strike 🎅🏽
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!