Profile picture
Matthew Dunwoody @matthewdunwoody
, 9 tweets, 3 min read Read on Twitter
In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.
A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many
However, trying to remove large numbers of implants and missing some, CURLing all of their C2 from your network, uploading several post-exploit backdoor samples to VT, discussing the intrusion in email, etc. - those are things that are more likely to elicit a response.
If the attacker wants to maintain access, they'll likely change toolsets and infrastructure. This may mean a new backdoor family or they may move to web shells, tunnelers, using legit creds for VPN/Citrix/cloud services, etc. They may leave their burned tooling or remove it.
The attacker may also go for spray and pray - deploying so much malware that the victim can't keep up, thus buying time to complete the mission. This may require more labor, but doesn't require much depth of tooling. This is a good tactic for smash and grab operations.
The attacker may do both, as in the incident we discussed in #noeasybreach - deploying new and stealthy malware while also mass-deploying known backdoors.
Of course, the attacker may pack up and leave, if they have already completed their mission, or if they are very sensitive to being identified or averse to exposing TTPs. Never assume this is the case until you've run down every lead.
In addition to maintaining OPSEC, it is also important to fully scope an incident before attempting remediation. Once an attacker has had time to move laterally, it is too late to play whack-a-mole. Remove attacker access, reset passwords, and address infection vector in one move
See this thread from @cglyer for more remediation thoughts and examples of stalling attackers without tipping your hand.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Dunwoody
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#noeasybreach

More from @matthewdunwoody see all

Profile picture
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
Read 13 tweets

Related threads

Profile picture
I know the world is on fire, but I need to draw your attention to a fast one being pulled at @statedept.
I have ranted before about the proposed merger of PA and IIP and. Going to do it again, because it is happening at a time when the global information playing field is only getting more dangerous.
To those who need a refresher, Public Affairs (PA) is America's global microphone on news. International Information Programs (IIP) educates the world about American values like civil liberties and human rights. Sounds pretty similar, doesn't it?
Read 10 tweets
Profile picture
Few things exemplify the moral corruption of the Republican Party (and Iowa’s 4th Congressional District) than its tolerance of a knuckledragging racist like Steve King. His own caucus should expel him.
On the theme of this tweet from the other day about the odious Republican Congressman Steve King, @JuddLegum has thoughts to add. I wonder if donors like @LandOLakesInc & @ABABankers support King because of his racism rather than the anti-Semitism.
Update, via @JuddLegum — Good. How about it, @ABABankers ?
Read 4 tweets
Profile picture
It's art up for review in opinions, of course I'm going to gravitate towards something shared with interest, when he didn't say a word for 2 days! Why was he there? #opendata #smartcities #bigdata #ai
I went through every single video he released in hip hop to understand him not saying a word. Easy to work out, he's a very bitter man who has absorbed all his parents immigrant opinions at home #opendata #smartcities #bigdata #ai
His parents are not middle class anywhere & neither is he #opendata #smartcities #bigdata #ai
Read 3214 tweets
Profile picture
Once you get past all of the yelling and carrying on, there are some really interesting discussions going on in our mentions about Alex Jones and, if we’re being honest, we’re all saying the same thing. Kinda.

Allow us to explain (in a disgustingly long-winded tweet storm):
Ultimately, what happened yesterday was dumb. All of these platforms (@facebook, @Spotify) decided to simply follow the leader (@apple) to make the call they should have made years ago according to their Terms Of Service. That’s why it looks, to Jones fans, like “collusion”.
@Facebook, just a week ago, said that threatening to kill Robert Mueller was not a violation of their Terms. Then they did and gave him a time out. Then they banned him. No wonder Infowars fans think it’s fishy. In reality, they should have banned him immediately after the video.
Read 12 tweets
Profile picture
So here's my favourite little quirky thing in New York, which to me is a perfect embodiment of New York's attitude, and a direct result of New York's street grid, arguably two of the city's most famous aspects…
To get started we really have to go waaaay back. Here’s a map of the city back when it was still called New Amsterdam. You can see a few streets starting to form, including one next to a defensive wall (no points for guessing what that street is called)
So New Amsterdam became New York and the city continued to expand out.

You can see a few grids appearing. The Delancey family had started making their own grid, but supported the crown during the revolution and so afterwards were exiled and their land given to New York.
Read 31 tweets
Profile picture
Once upon a time, there was a prince named Gabriel who lived in a shrinking kingdom. A blight had swept in from the east, withering plants, sickening animals, and fouling the water. It left behind a great waste where nothing would grow and no one could survive.
For years, the king held audience with anyone who claimed to be able to halt the spread of the blight and restore life to the waste, but no one—from farmers with knowledge of the land, to sorcerers with arcane magics—could find a solution.
Rumor held that a powerful faerie had cursed the kingdom over a slight, real or perceived, and that was why no human magic could reverse the devastation. People were forced from their homes. Some fled west, toward the capital at the foot of the mountains, some to other countries.
Read 172 tweets

Trending hashtags

#FLY #RICO #HarveyWeinstein #yourewelcome #BreakingMyTwitter #RecordStoreDay2019 #BeBest #InternetBillofRights #NeverForget #Cypriot #smartcites #webdev #BeepBeep #KevinSpacey #ETTD #MusicSermon #ThoughtsAndPrayers #au #TrumpLies #soon #EgyptStation #Memo #bigdata #RecordStoreDay #smarcities

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!