I'm going to let slip a little tidbit that's a dirty industry secret. I'm sure many of you have heard how we cracked the JP diplomatic cipher and knew the Pearl Harbor attack was coming.

Welp. Buckle up. A short 🧵to remind you all security is theater.

The supposed "good guys" (federal LE and intelligence agencies, private security researchers, etc.) have access to the backend infrastructure of many of the more notorious cybercriminal gangs, some of whom are enemy-state-funded-and/or-directed.

This means that they can see

exactly who's involved, from both a perp and victim standpoint. They can see their TTPs (tactics, techniques, and procedures). They can see how, when, and where they're using their tools. They can often see internal comms among the threat actors.

tl;dr? They can see the attacks coming. They know who's about to be hit. Once done, they can see exactly what was done. They know what was taken. They could put a stop to it at any time. In the few instances when they do perform a takedown, they are quick to crow about it

publicly and pat themselves on the backs for doing such good work.

But most of the time, they sit and watch, in the name of "intelligence gathering". They lie to themselves, and think that, by sitting idly by, they're somehow strengthening their hand, and when they finally do

choose to act, the impact will be greater for it.

Except, it's not. In all but a few cases, the threat actors get away scot free. No one goes to jail, no one is even identified. They just regroup, re-org under a different name with different infrastructure, and carry on with

business as usual, typically within a few weeks to a few months.

There's no pyramidal structure like there is in the drug trade. There's no "big guy" to go after that's coordinating everything. They're highly agile, highly decentralized, and taking out one cell -- for lack of a

better term, but it's quite apt here -- has little to no effect on any other.

These people literally sit and watch major international crimes happen, and do nothing.

As far as I'm concerned, they're complicit.

Many of the private researchers with access are intentionally leveraging that access for profit. Either to give advance warning of an impending attack to their employer, or to the businesses their employers do business with and therefore have exposure with, or they work for

cybersecurity companies, and this "inside baseball" is the edge that the companies advertise to their clients.

In sum, it's a bunch of people playing super-sekrit-skwirl and feeling self-important because they're privy to something very few are, while literally implicating

themselves in major crimes, all for a buck.

The intel gathered COULD be used to protect potential victims. But these preening peacocks don't want to "burn the infra" the threat actors are using, because they know that, once potential victims mysteriously start blocking

IPs and domain names en masse that the TA's haven't used for an attack yet, the TA's will know something's up, and these "good guys" will likely lose their access as the TA's tighten things up and move stuff around.

@cobaltspike Even has access. You're not coordinating. You're Keystone Kops, running around feeling good about yourselves while.accomplishing nothing.

@cobaltspike Given that, one absolutely has to wonder what your perspective is. So far, it seems to be, "but we're the goodies!"