I know there’s a desire to calm people down and have some confidence, but I would advise anyone pretending they have an understanding of the scope of the SolarWinds compromise to dial it down a bit. It’s going to take time, could be more accesses, and our collection isn’t great.
E.g. “right now there are only $X orgs that are impacted” is based on very limited visibility with an expectation we understand all the compromise routes and adversary command and control capabilities. We simply don’t know that to be true and won’t in the first couple weeks
Should average citizens be freaking out? No, this isn’t war stop the hyperbole. From a national security perspective though the President and Congress must have confidence in the integrity of its critical and defense critical sites. We’re no where near “we understand this” yet.
I’ve been advising some members of Congress privately and it’s insane the number of bad hot takes are reaching them from Infosec and media. “This is digital Pearl Harbor” to “this isn’t impactful it’s only 50 companies.” Extremes don’t help right now.
Also as an aside I don’t care your political party - next time you see a Congressional staffer buy them a coffee or give an air hug - these folks are non stop working to try to keep folks on track and armed with good info on the Hill, staffers are super under-appreciated

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robert M. Lee

Robert M. Lee Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RobertMLee

23 Jun
Fun to be on this episode of @DarknetDiaries - the heroes of the story IMO are Julian & @naserdossary who are interviewed as well and were incident responders on the case. Credit to to the @DragosInc intel team for their hard work too (special thx for @ReverseICS @mayahustle)
I think the story really got carried away and at some point Saudi Aramco was named as the victim when in reality they were the first responders helping out their community. Kudos to them and the other unsung heroes. Lots of teams come together to help in such events
I’m thankful Julian and @naserdossary have since joined the Dragos team. Our team is better for having them on it.
Read 4 tweets
3 Jun
I’ve had a few folks reach out to me because of some of my employees’ comments in the media and on their social media apparently expecting me to censor them or take some action. Some general end of day stressed thoughts: (1/x)
First, I’m prior military, please do not play the “support our troops” card on me. Our military has a wide set of diverse views not supporting one position or party. Many support military usage here and many sont and are following lawful orders but ready to refuse unlawful ones
Second, our customers are damn lucky my firm has divsere views. Lack of diversity is the enemy of success. Diversity isn’t a PC topic to us, it’s not only morally right, but it is selfishly necessary to counter strategic well funded adversaries in highly ambiguous scenarios.
Read 6 tweets
20 May
The story of hardware backdoors from China found in an electric transformer at a US utility is continuing to gain attention; but it doesn’t deserve to. There has only been 1 source of the claim who doesn’t even work at a utility and he has provided 0 evidence.
The story especially with its supply chain angle is sensational and touches on long held fears in DC and elsewhere. But their fears that have never manifested. So there’s folks who really want to believe this is true. But there’s no evidence of it now nor has there been.
Joe (the individual making the claim) is a really good engineer and has been very important to the development of the ICS security community, but he often has sensation claims that turn out to be very inaccurate, unsupported, or twisted non maliciously for other purposes.
Read 8 tweets
14 Jun 19
Quick break down on what the Dragos blog today on XENOTIME does and doesn’t mean. Thread:
XENOTIME is the threat responsible for the TRISIS (TRITON) attack in Saudi Arabia. For months Dragos has tracked them including penetrating oil and gas companies in North America. We also observed them start to target (specific reconnaissance) against US electric utilities.
We’ve been privately reporting to the community and made sure we worked with appropriate orgs who could get the word out to the utilities. XENOTIME is the only threat to have crossed the line to have ever tried to kill someone (TRISIS targeted safety systems). It’s serious.
Read 10 tweets
22 Mar 19
(venting a bit warning but also going to talk openly about why we did something.) So @DragosInc acquired NexDefense to release its tool to the community. @digitalbond didn’t like that answer that we’d do this do help folks. He challenged me publicly on it and I explained.
After explaining the full details of why he still decided to run in his newsletter the following: “I'm not buying the stated reason of helping the community by moving Sophia/Integrity to open source.” To a large public audience.
It’s up to everyone to make their own decision but since we’re being called a liar essentially I’d like to expose the reasons to everyone. Which by the way don’t actually impact anyone because it’s still a free tool for folks to use regardless.
Read 11 tweets
17 Jan 19
The moment we’ve (@DragosInc at least) have been waiting for...the S4 ICS Threat Detection results. #S4x19
All the competitors in the space were invited. In the end, three stepped up. Kaspersky ICS, an open source tool team by an ICS sec analyst from an asset owner/operator, and Dragos. Because the others didn’t participate it turned from a competition to more of an evaluation #S4x19
“Claroty and Dragos stepped up early. We reached out to 20+ of the vendors and they all said no.” @digitalbond then notes that Claroty backed out a few weeks before the competition so it morphed to an evaluation. The challenge kicks off with Ron who put 500+ hours into making it
Read 29 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!