🧵Heading home after a great time at #CYBERWARCON yesterday. IMO, a good threat intel or #INFOSEC conference should mainly 1. Stimulate new thinking and grow the field 2. Facilitate genuine networking 3. Be fun! This conference is definitely all three.
I’m in awe of @JohnHultquist and Amy’s ability to basically will this thing into existence year after year with only a small volunteer force to help them. Thank you to them, the rockstar review board of John, @ridt, @olgs7, @t_gidwani for producing an outstanding agenda…
…and to everyone else who helped put the conference on! My gratitude to the various sponsors that also made this conference possible. Congrats to all on another fantastic year.
All of the presentations were extremely well done, and I unfortunately can’t comment on all of them, but I want to highlight a few specific presentations and give a few of my general takeaways, mainly from an IO perspective:
First, i though that @DavidAgranovich and Mike Dvilyanski made a valuable contribution by bring real world data from observations of post-enforcement behavior to the discussion of IO actor persistence. Their discussion on the efficacy and goals of takedowns and exposure was 👌🏼 
Check out the takedown that preceded their talk yesterday here: about.fb.com/news/2021/11/t…
@badtakeblake gave one of my favorite talks of the day, highlighting a suspected Colombian government operation’s (Machete) pivot to information operations, some cyber-enabled. Super valuable contribution to the field of LatAm IO and cyber ops, which is heavily understudied
I loved the talk from @juanandres_gs in which he gave a detailed history of state actors using hacktivist fronts as cover, asking “are there any real hacktivists left?”Most importantly, he encouraged analysts and journos to always consider the degree to which we are targets…
or secondary vessels of some of these operations, ie alternate dissemination vectors. A really important point.
A “holy shit” moment for me was hearing @simandsec describe how they’ve watched Iranian operators *literally date* their targets virtually using fake personas of attractive women for 6-8 MONTHS before finally delivering malicious attachments and exfil’ing data from the target…
Talk about patience! MSTIC’s blog accompanying the presentation by Simeon, James Elliot, and @moranned can be found here: microsoft.com/security/blog/…
And now for some more general takeaways. First up, attribution:
Attribution: multiple speakers walked through some very nuanced attribution cases, and gave measured attrib. statements backed by evidence. This is the gold standard we should strive for, and I’m happy that speakers didn’t shy away from complex attrib…
and that the field is mature enough to receive this kind of analysis. In particular, I thought @SiminK_ did a fantastic job both conducting and communicating a really complex attribution process with WIKISAUDILEAKS. Thanks, Simin!
The estimative language used by @badtakeblake in his attrib statement was also top notch. I’m not the only one who thought so, either! (
https://twitter.com/likethecoins/status/1460690058525171722?s=21).
Finally, and I’m biased by having worked on this one, but I was impressed by how @bread08 and @gabby_roncone communicated the #Ghostwriter/#UNC1151 partial attrib. to Belarus, highlighted intelligence gaps, and managed to move the public conversation forward on that campaign…
despite not being able to share full technical details. Check out the blog that our espionage and IO teams jointly worked on for more detail: mandiant.com/resources/unc1…
*Bonus content* Ben and Gabby charging up their attribution super powers while on deck for their talk 💪🏼
Theme 2: We are seeing more and more cyber-enabled IO. Multiple presentations touched on this theme, and I think we need to stay ahead of the game by continuing to track and share the ways in which intrusions, website and account compromises, and hacktivist fronts…
…just to name a few TTPs, are being used in conjunction with IO. In case you missed it, IO may even be being used as an additional coercive lever in ransomware operations! (thedailybeast.com/a-mysterious-n…)
Third, we saw some innovative investigative techniques and uses of data. Two presentations on Chinese IO from @MeiDanowski and @0xZeshan , respectively, are great examples of this.
I also appreciate the precedent @0xZeshan is setting by being willing to share his full investigative data set with other researchers.
Last… holy crap are journalists incredible at conducting investigations! The detail, methods, and sheer quantity of work that @razhael and @Bing_Chris put into their investigation blew my mind. Fantastic findings!
That’s all, folks! Great work to all the other presenters I didn’t get to mention - every single one made a valuable contribution and I enjoyed listening to all of them. See you all next year! #CYBERWARCON #disinformation #infosec
• • •
Missing some Tweet in this thread? You can try to
force a refresh
