Profile picture
Christopher Glyer @cglyer
, 8 tweets, 3 min read Read on Twitter
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Most victims who have to remediate quickly, will do least resilient measures (e.g block IPs/domains, change affected passwords of few accounts, & rebuild a few systems). Biggest risk here is that you've missed a backdoor & inadequate remediation steps allow attacker to "run wild"
Once you've tipped your hand to attacker - you've committed your org to permanent whack-a-mole (for as long as it takes) until you've dealt w/ problem. For great example - check out @ItsReallyNick & @matthewdunwoody's No Easy Breach talk @DerbyCon #APT29
One time on day 1 of a compromise assessment - I found attacker had compressed a few hundred gigs of sensitive data the day before...but had only stolen a few of the split RAR archives. We were in a real pickle. They'd been there for months - and we had no idea scope of intrusion
We got creative & wrote tool that could corrupt password protected RAR archives & also rate limited attacker's C2 where they exfilled data. We watched the attacker steal (very slowly) RAR archives over the next few weeks while we scoped the intrusion & prepared for remediation
We accomplished the goal of protecting the client (and their data) while giving our teams the time and space to remediate. Side note: would love to see face of the Chinese APT operator(s) when they realized they spent a month downloading hundreds of Gigs of corrupted RAR archives
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#DFIR #APT29

More from @cglyer see all

Profile picture
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Read 24 tweets
Profile picture
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
Profile picture
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets

Related threads

Profile picture
BREAKING.💥💥💥 #MarkJudge's publication at a Russian Orthodox website sponsored by the Russian government and managed by a professional propagandist working for the administration of the Russian president. Article + thread 👇 medium.com/@ZarinaZabrisk…
Breaking: #MarkJudge publications in Russia+ #ChuckJohnson's website, ties to #Kremlin, #Dugin #Trump. @WendySiegelman @dcpoll @grantstern @velvetblade @AlexandraChalup @peterjukes @lukeharding1968 @carolecadwalla @J_amesp @craigunger @patrickLSimpson @ushadrons @nycsouthpaw ☝👇
1. On December 16, 2016, a Russian Orthodox website Pravmir published #MarkJudge ’s article, linking the translation to the original to the Catholic News Service website.
Read 31 tweets
Profile picture
1. You’ll see lots of actual Chancellor today too - in Commons then at Committee, no doubt will be asked about Brexit risks to economy just as....
2. Jacob Rees Mogg and co will be making case for economic deal with radical distance from EU - unlikely to shift many opinions now
3. Since 2016 clear majority of economic opinion has suggested economy will grow more slowly after Brexit - but Mogg and co trying to explain alternative to close relationship again, they believe would be more prosperous
Read 5 tweets
Profile picture
Right, so tomorrow is International Mother Language Day, and partially because I wont be at @LonGaeilge to waffle on about stuff in Irish, I'll waffle a bit about #IMLD here in English
I've no idea where this waffle will go, I'm just doing to lash into it without any direction in mind. #IMLD started in Bangladesh. Bangla is a language that is of central importance to #IMLD and to me personally.
If it wasn't for #Bangla, I know for certain that my #Gaeilge would not be what it is. It was when I started to learn Bangla that I also started going back to learning Irish.
Read 27 tweets
Profile picture
Our first FREE information session starts now, you can follow #ImmigrationCorner to keep up with the conversation!
Canada is fast becoming the choice destination for many immigrants to live and contribute to the country's economy. There are more than 60 immigration programs for foreign nationals interested in immigrating to Canada. #ImmigrationCorner
While many of the 60 programs are for temporary residents (visitors, students, and temporary workers), the Express Entry system is the most popular route through which permanent resident applications are accepted and processed. #ImmigrationCorner
Read 30 tweets
Profile picture
HEALTH CARE THREAD:
1. Tax fight
2. CHIP
3. Bipartisan ACA fix
4. HHS Secretary
5. Sabotage
6. ELECTIONS
7. Future: care for all—or repeal
Picking this back up at 4. Topics 1, 2, and 3 are covered in the thread starting here:
4. HHS Secretary. Tom Price resigned in a toxic cloud of corruption, failure, and abuse of office. Choosing a non-awful successor = critical
Read 51 tweets

Trending hashtags

#Revolutionary #LUNAR #Fourth #James #Kremlin #WhitePrivilege #english #opendara #au #ComplimentsOfTheSeason #HumanTrafficking #Afghanistan #MeToo #TheArrival #education #Guerilla #Russians #Ancient #DonaldTrump #India #Iranian #heritagespeakers #racism #Midterms2018 #Socialist

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!