After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Most breached orgs either compromised by a financial criminal or something uttered in hushed tones (I'm totally serious) the Advanced Persistent Threat (a moniker created by US military, but popularized by Mandiant because we were one of the few companies to discuss it publicly.
One thing that made Mandiant different was we were technology-enabled consultancy w/Mandiant Intelligent Response (MIR) & a custom network sensor. This enabled us to conduct investigation rapidly & w/significantly less analysts compared to other firms who used 50-100 consultants
I had a lot of offensive security experience and some incident response/forensics experience prior to Mandiant - but I got thrown right into the fire when I started. Fortunately I was able to learn firsthand from one of the best engagement leads I've worked with Marshall Heilman
I learned how juggle all the crazy competing demands in an investigation between coordinating tasks of the team, driving investigative direction, communicating status, developing remediation strategy & tailoring it to clients environment (as well as learning what to hold firm on)
When I first started, Mandiant was known for having a strict remediation methodology (primarily because our ability to move with attacker in real-time was limited). We recommended every company disconnect completely from Internet for weekend while remediation activities conducted
You try telling a CEO/CFO/CTO of a Fortune-X company to 1) Don't play whack-a-mole...let the attacker operate until we have scoped their activity [see my first blog fireeye.com/blog/threat-re…]
2) Disconnect the entire company from the Internet
...and not get laughed out of the room
But we meant it - because it worked & we'd had an experience of an APT actor coming in during a remediation weekend & deploying new malware

It was beat into my head that my success was judged on whether my client successfully dealt w/their problem. If they didn't - we failed
I remember running APT11 investigation at Fortune 200 company & client refused to stop playing whack-a-mole (which was causing attacker to change their tactics & imperiling a successful remediation).

I told our VP consulting (Steve Surdu) that I wanted to fire the client.
It was biggest consulting project at time, but he listened to my logic & he supported my decision

I told client that we're ending our engagement because we couldn't successfully help them remediate. They were incredulous, but took it to heart & changed course & we evicted APT11
In my opinion, Steve Surdu is one of biggest reason's for Mandiant consulting's success. He instilled in every one of us the importance of hiring the best (& how to interview effectively), held us to standards that few people can reach (which pushed each of us to always improve)
My interview style was shaped by my initial Mandiant interview (it was terrifying b/c made me realize how much I didn't know).

I've interviewed dozens of candidates & my goal isn't to "stump the chump", but gain understanding of boundaries of their knowledge & interest to learn
We rarely found candidates who could slot right in & start executing immediately. Therefore we placed emphasis on people w/solid foundation in technology & hunger to learn & complemented that w/heavy dose of on-the job shadowing/mentoring/training (which got formalized over time)
I've really enjoyed training/mentoring people in #DFIR. It's probably area I will look back on most fondly. Whether it was spending dinner talking a junior analyst through attacker actions & what sources of evidence to analyze or discussing fastest way to find malware on a system
An effective #DFIR training technique: give analyst system analyzed by more senior person & use report as reference, when comfortable analyze another system w/o report. Compare both, review delta verbally & give feedback (focus on teaching analyst your process)

Wash/rinse/repeat
I remember starting & being intimidated by all the amazingly smart people around me

My first live response took ~40 hours (I had to research just about everything b/c I didn't know what was "normal" OS noise vs. attacker activity) & everyone else could do it in 1-2 hours
I was fortunate to teach #DFIR classes both for federal law enforcement & @BlackHatEvents w/an all-star crew (@ryankaz42 @krisharms & Chris Nutt) that helped me hone my teaching skills. There's nothing like hearing a great teacher explain a topic & then emulating it yourself
I'll be forever grateful for @_HelenaBD & @vasujakkal giving me opportunity to co-anchor a re-vamp of #StateOfTheHack as an unscripted series w/@ItsReallyNick. We had no idea what it would turn into when we started - but I'm proud of reception it's had in the community.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Christopher Glyer

Christopher Glyer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cglyer

9 Oct
This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control

The reasons are relatively straightforward:
The cost to pay is often significantly less than cost to business impact from downtime

The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)

Monetization is also wayyyyy easier
I don’t think you will see a material change in % of orgs who pay ransom unless governments make payment of ransoms illegal (which will have a lot of other unintended consequences).

Do you think governments should outlaw payment of cyber ransoms?
Read 14 tweets
25 Jul
One of most undervalued aspects of incident response is incident documentation

In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈
Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often

This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation
In my experience - here are the most important things to track (a spreadsheet is my preferred tool)

One table for each of the following:
-Timeline of forensic artifacts
-Systems
-Indicators (I prefer separate table for host and network)
-Compromised accounts
Read 12 tweets
25 Mar
BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.

fireeye.com/blog/threat-re…
I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.
The CVE-2019-19781 exploitation had three main phases 1) initial reconnaissance on January 20-21 executing the command 'file /bin/pwd' (APT41 was the only actor I could find executing this command)
Read 13 tweets
28 Jan
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
22 Jan
BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
@FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
@FireEye @citrix @Mandiant Lots of late nights and work on the weekend/holiday to get this out. Many thanks to @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick for help making it happen.
Read 11 tweets
9 Oct 19
I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime
First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit
Read 91 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!