FLARE #AdvancedPractices has a rep of being a rowdy, hell raising analyst squad (in a nice, fun way). Our culture is to challenge our company norms, demand excellence, take risks, make mistakes, fail & succeed repeatedly. It's who we are.

A #FF of some teammates & team friends:
@ItsReallyNick and @danielhbohannon taught me to $DoTheNeedful, whether I was asked to or not, Ship It and See What Happens

@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology
@_gormaniac_ & @x04steve taught me to love automations

@ramen0x3f @bwithnell taught me to ask better questions of my data

@3dRailForensics @Isifmobile @ReginaElwell taught me to value quality, and aspire to higher standards

@BakedSec taught me to be a bit nicer
@benhacks @gento_ @siedlmar @BarryV @anthomsec taught me to pivot on things you'd never expect to be analytically relevant

@williballenthin @stevemk14ebr @spresec @jay_smif taught me that almost anything is possible if we labored carefully and creatively
@stonepwn3000 taught me to delegate up and how to fight for your team

@secbern and @jhencinski taught me that to improve you must measure

@BarryV taught me the value of harshing other peoples vibes but also bringing a "thats a good point" and or youtube link for de-escalation
@cglyer @alex_lanstein @bwithnell @ItsReallyNick (you guys get another) taught me to never under estimate the power of diligent work in our telemetry, and the power of sharing timely information with the community
@matthewdunwoody taught me the value of a well placed "ok"

@TekDefense @danielhbohannon and @ramen0x3f taught me not to give up on IOCs, more than once

@PenninoPress reminds me that endpoint forensics really *can* help when you're in a pickle
@rwallace46 and @_bromiley taught me to write and share better, and work on doing that in ways that are more articulate and persuasive

@gregLeBl_nc @ReekaEE @MikeOppenheim @invisig0th taught me to value the data model before the data
@MrDanPerez @MJDutch @jonleathery taught me just how deep the rabbit hole can go when you follow a single threat actor to its deepest

@Wanna_VanTa @_gackerman_ @BMcKeg @bryceabdo @tylabs taught me better comms/professionalism & remind me that I must work to stay sharp
@danielcabaniel @Int2e_ @mykill @sj94356 taught me to pull on threads that others might not know how to pull

@a_tweeter_user @wattsopp @mikesiko taught me to be humble and candid
@SElovitz taught me to increase my reach and manage sticky situations

@pr0cy0n taught me to love a challenge and push myself every day and to pay attention to details

@dwire taught me what not to tweet :D
Forgive me if I missed a few. I have so many friends throughout Mandiant that have worked with me and helped me and the team through the years on a myriad of intrusions, malware, TTPs, campaigns, clients, technologies etc. Thank you all and happy friyay.
Also shout out to Todd P, who may exemplify the best of all of us.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Steve Miller

Steve Miller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @stvemillertime

10 Feb
We track a few dozen code languages as they relate to malware and other binary blobs, but I am particularly interested in: Lua, Go, D, NIM, F#, Rust, Python (and various packagers/bundlers/installers/futzers for all of those) (inspired by both @TheEnergyStory and @k_sec)
One way malware developers get extra mileage out of their work is once it has been burned/detected in one code language, they simply rewrite it in another! Many antivirus engines and ML models do not have sufficient sample data for new code language features.
Tired of getting 50+ hits on VirusTotal? Wrap your next payload in Golang. We're tracking 60+ unique code families written in Go...

sidecliff
chaosrat
snakehose
beacon
gost
bestway
trickshow
axeterror
regeorg
smokedham
notrobin
linkspan
punchbuggy
bloodhound
roundbag
sixplus
Read 6 tweets
5 Feb
Everyone has diff vernacular for their models and ideas, but I define detection on a spectrum, where logic for the purpose of finding evil is measured by output fidelity, result set size, time/expertise requirements for review, and most importantly, “threat density.” #detectrum
The #detectrum is just a mental model for me, a way to explain the different intents and purposes for all sorts of logic and technologies and haystacks that help us find and attribute intrusion activity.
It’s not novel or special, but the detectrum can be helpful when you are examining the complex systems (people, processes, myriads of technologies) within a large intelligence apparatus.
Read 12 tweets
28 Jan
#ConventionEngine: Part Cinq - OLE Edition

ConventionEngine is *mostly* about PDBs, directory paths that reflect something about the original code project and development environment. The paths are the signal. Where else will they show up? Why, in OLE objects! Let's explore...
We had a revelation that seeing an RTF with an OLE is not that crazy, but when that inside OLE has, for whatever reason, a full directory path, the whole object becomes so much more interesting. For example, RTF with OLE with C:\Users\ in it. Let's use Yara to take a measurement.
Here's a quick #dailyyara rule looking for RTFs with OLE objects with a path of C:\Users\ in it...somewhere...for some reason. This is odd, and unsurprisingly super threat dense.

gist.github.com/stvemillertime… Image
Read 6 tweets
21 Jan
How do @Mandiant UNC clusters get formed, merged, and graduate to APT groups or even personas? Look at serial crimes and sprees in meatspace. Multiple crimes on multiple victim systems, multiple places. It takes forensic evidence to tie the cases together. It's the same process.
Foot impression from the crime scene. Is it unique? What shoe is it, where was it sold? How many made in that size? You have to know if the evidence is unique. All the casings, latents, entry toolmarks. Technical evidence is how we group crimes together and move towards an actor.
TTPs and MOs and methodologies and victimologies are important too, but these don't help you get attribution alone. Technical links, grounded in substantiated evidence is the only way.
Read 16 tweets
14 Oct 20
Students of #infosec: @Mandiant and @FireEye folks have put out tons of blogs over the years. Careful reading of these can help you build familiarity with threat actors, intrusion TTPs, and threat data. And sometimes they're just fun. Here's a thread with some of my favorites:
Read 10 tweets
20 Mar 20
ExportEngine: Find Evil by PE Export DLL Names

(a #dailyyara thread)

PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"

This string is "analytically rich" and is surfaced in many tools
Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe"
The export DLL name strings contains enough predictable developer conventions that you can use simple Yara rules to surface, cluster, detect/hunt for malicious activity that might otherwise be missed (similar to my prior research on ConventionEngine and PDB paths). Let's look...
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!