I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
"APTs" matter sometimes, but for most orgs, you're a lot more likely to be affected by stuff like BEC and ransomware. Please stop panicking about every new "APT" report and patch things.
Stop being jerks to new people. They're learning, and they could end up being your boss someday, so be nice.
PDFs of reports are AWESOME, but please, please, put the DATE ON THE FRONT PAGE. Don't make me go search for your corresponding blog post because I am lazy.
Just because someone disagrees with you doesn't make them a bad person. Disagreement is GOOD in threat intelligence.
Stop yelling at people who include TTPs and not indicators. TTPs are useful too.
Please stop just listing ATT&CK techniques with no additional context or detail.
Don't steal other peoples stuff. Give credit if you use someone else's work.
Don't use those fake PDF readers that track people when they're reading your reports but make them think they're in a PDF reader.
Don't worry too much about attribution to a person/country/military unit unless you actually need that. For many of us, that doesn't really matter, and you can take the same actions knowing how the threat acts. Don't @ me. 😉 Threat intel is more than country-level attribution.
Putting on makeup is a pain in the ass. I deem this as threat intel-related because it's my thread and I feel like I need to put on makeup when doing threat intel presentations.
Please stop asking if something is being recorded and if the slides are being shared if that's already been stated. This is annoying. Yes, I admit, this is completely hypocritical because I'll probably ask it, but whatevs.
Lazarus and Winnti.
"Indicators" without context. That's not an indicator and it's sure as heck not threat intel.
Markdown.
When samples aren't in VT.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.
Another super helpful explanation of the DGA C2 domains. I love the MS graphics people.
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant@sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Identifying things I'm gaining, not just losing. I'm pretty down because I didn't get to go to Zurich or Chicago this month. But I AM establishing healthy sleep habits, eating better, exercising regularly, and spending more time with my husband. I also have time to dig in at work
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.) (1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)