🧵Heading home after a great time at #CYBERWARCON yesterday. IMO, a good threat intel or #INFOSEC conference should mainly 1. Stimulate new thinking and grow the field 2. Facilitate genuine networking 3. Be fun! This conference is definitely all three.
I’m in awe of @JohnHultquist and Amy’s ability to basically will this thing into existence year after year with only a small volunteer force to help them. Thank you to them, the rockstar review board of John, @ridt, @olgs7, @t_gidwani for producing an outstanding agenda…
…and to everyone else who helped put the conference on! My gratitude to the various sponsors that also made this conference possible. Congrats to all on another fantastic year.
All of the presentations were extremely well done, and I unfortunately can’t comment on all of them, but I want to highlight a few specific presentations and give a few of my general takeaways, mainly from an IO perspective:
First, i though that @DavidAgranovich and Mike Dvilyanski made a valuable contribution by bring real world data from observations of post-enforcement behavior to the discussion of IO actor persistence. Their discussion on the efficacy and goals of takedowns and exposure was 👌🏼
Check out the takedown that preceded their talk yesterday here: about.fb.com/news/2021/11/t…
@badtakeblake gave one of my favorite talks of the day, highlighting a suspected Colombian government operation’s (Machete) pivot to information operations, some cyber-enabled. Super valuable contribution to the field of LatAm IO and cyber ops, which is heavily understudied
I loved the talk from @juanandres_gs in which he gave a detailed history of state actors using hacktivist fronts as cover, asking “are there any real hacktivists left?”Most importantly, he encouraged analysts and journos to always consider the degree to which we are targets…
or secondary vessels of some of these operations, ie alternate dissemination vectors. A really important point.
A “holy shit” moment for me was hearing @simandsec describe how they’ve watched Iranian operators *literally date* their targets virtually using fake personas of attractive women for 6-8 MONTHS before finally delivering malicious attachments and exfil’ing data from the target…
Talk about patience! MSTIC’s blog accompanying the presentation by Simeon, James Elliot, and @moranned can be found here: microsoft.com/security/blog/…
And now for some more general takeaways. First up, attribution:
Attribution: multiple speakers walked through some very nuanced attribution cases, and gave measured attrib. statements backed by evidence. This is the gold standard we should strive for, and I’m happy that speakers didn’t shy away from complex attrib…
and that the field is mature enough to receive this kind of analysis. In particular, I thought @SiminK_ did a fantastic job both conducting and communicating a really complex attribution process with WIKISAUDILEAKS. Thanks, Simin!
The estimative language used by @badtakeblake in his attrib statement was also top notch. I’m not the only one who thought so, either! ( ).
Finally, and I’m biased by having worked on this one, but I was impressed by how @bread08 and @gabby_roncone communicated the #Ghostwriter/#UNC1151 partial attrib. to Belarus, highlighted intelligence gaps, and managed to move the public conversation forward on that campaign…
despite not being able to share full technical details. Check out the blog that our espionage and IO teams jointly worked on for more detail: mandiant.com/resources/unc1…
*Bonus content* Ben and Gabby charging up their attribution super powers while on deck for their talk 💪🏼
Theme 2: We are seeing more and more cyber-enabled IO. Multiple presentations touched on this theme, and I think we need to stay ahead of the game by continuing to track and share the ways in which intrusions, website and account compromises, and hacktivist fronts…
…just to name a few TTPs, are being used in conjunction with IO. In case you missed it, IO may even be being used as an additional coercive lever in ransomware operations! (thedailybeast.com/a-mysterious-n…)
Third, we saw some innovative investigative techniques and uses of data. Two presentations on Chinese IO from @MeiDanowski and @0xZeshan , respectively, are great examples of this.
I also appreciate the precedent @0xZeshan is setting by being willing to share his full investigative data set with other researchers.
Last… holy crap are journalists incredible at conducting investigations! The detail, methods, and sheer quantity of work that @razhael and @Bing_Chris put into their investigation blew my mind. Fantastic findings!
That’s all, folks! Great work to all the other presenters I didn’t get to mention - every single one made a valuable contribution and I enjoyed listening to all of them. See you all next year! #CYBERWARCON #disinformation #infosec

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Sam Riddell

Sam Riddell Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RiddellSam

22 Jan 19
THREAD - I found that @2020fight - the account that helped the Covington High School video go viral, according to @CNN, and that Twitter suspended shortly after, had services for hire on Shoutcart - a service that allows users to pay influencers to post videos on their behalf.
Put another way, someone *could* have paid @2020fight to post the viral video that sparked one of the most toxic 24-hr news cycles we've recently seen and led @POTUS to take sides and criticize the press. The video was viewed at least 2.5 million times.
This highlights an under-discussed aspect of information operations - information laundering. You don't need a bot network or sockpuppet to make divisive information go viral - you just need a few bucks and an influencer or trusted source willing to do it for you.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!