Share this page!

Katie Nickels Profile picture
Twitter logo
23 Dec, 19 tweets, 3 min read
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysis en.wikipedia.org/wiki/Nation_st…
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
"APTs" matter sometimes, but for most orgs, you're a lot more likely to be affected by stuff like BEC and ransomware. Please stop panicking about every new "APT" report and patch things.
Stop being jerks to new people. They're learning, and they could end up being your boss someday, so be nice.
PDFs of reports are AWESOME, but please, please, put the DATE ON THE FRONT PAGE. Don't make me go search for your corresponding blog post because I am lazy.
Just because someone disagrees with you doesn't make them a bad person. Disagreement is GOOD in threat intelligence.
Stop yelling at people who include TTPs and not indicators. TTPs are useful too.
Please stop just listing ATT&CK techniques with no additional context or detail.
Don't steal other peoples stuff. Give credit if you use someone else's work.
Don't use those fake PDF readers that track people when they're reading your reports but make them think they're in a PDF reader.
Don't worry too much about attribution to a person/country/military unit unless you actually need that. For many of us, that doesn't really matter, and you can take the same actions knowing how the threat acts. Don't @ me. 😉 Threat intel is more than country-level attribution.
Scans are not attacks. h/t @WylieNewmark
Putting on makeup is a pain in the ass. I deem this as threat intel-related because it's my thread and I feel like I need to put on makeup when doing threat intel presentations.
Please stop asking if something is being recorded and if the slides are being shared if that's already been stated. This is annoying. Yes, I admit, this is completely hypocritical because I'll probably ask it, but whatevs.
Lazarus and Winnti.
"Indicators" without context. That's not an indicator and it's sure as heck not threat intel.
Markdown.
When samples aren't in VT.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie Nickels

Katie Nickels Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @likethecoins

Katie Nickels Profile picture
18 Dec
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.
Another super helpful explanation of the DGA C2 domains. I love the MS graphics people.
Read 14 tweets
Katie Nickels Profile picture
16 Dec
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
Katie Nickels Profile picture
28 Oct
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
Read 19 tweets
Katie Nickels Profile picture
11 Mar
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Identifying things I'm gaining, not just losing. I'm pretty down because I didn't get to go to Zurich or Chicago this month. But I AM establishing healthy sleep habits, eating better, exercising regularly, and spending more time with my husband. I also have time to dig in at work
Read 8 tweets
Katie Nickels Profile picture
21 Dec 18
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
(3) November 2017 Boyusec (justice.gov/opa/pr/us-char…) (3/n)
Read 19 tweets
Katie Nickels Profile picture
21 Dec 18
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @likethecoins has new unrolls!

Check out other threads from @likethecoins!

Read all threads by @likethecoins