Share this page!

Jake Williams Profile picture
Twitter logo
Apr 7 10 tweets 4 min read
Quick 🧵on yesterday's FBI partial takedown of #CyclopsBlink.
1. Even for privacy types who fear government overreach (like me) this was a net positive. We should seek to degrade nation-state threat actor capabilities where it is possible to do so without collateral impact. 1/
2. The fact that WatchGuard assisted in the operation is critical. Obviously they have a vested interest in helping, but that's beside the point. It provides a level of private sector oversight that's often lacking in government operations. 2/
Now I'm mot an idiot. I know the FBI gets the final say in anything being done. But if they were abusing this access in any way during the op, there's a 1000% chance that will eventually leak given the private sector involvement. 3/
3. I think it's important that the @FBI clarified it didn't interact with the devices other than through C2 channels already established. It's also important they state they didn't collect any data (except serial number) from the devices. I get that's still not enough for some 4/
4. What can the @FBI do better? I'd personally like to see a public statement committing the FBI will NEVER use access gained through countering foreign cyber threats to investigate crimes (except terrorism or imminent loss of life). 5/
It's important the FBI publicly state they won't use parallel construction either If you're not familiar with parallel construction, read this My doc said my BP is to high to keep talking about this, but TL;DR it's basically shredding the 4th amendment. 6/
en.wikipedia.org/wiki/Parallel_…
5. I've run into some of the @FBIPittsburgh and @FBIAtlanta (less so for @FBIOklahomaCity, though I'm sure they're awesome too) cyber folks in my travels. They are top notch. Legit badasses. It was no surprise to see them leading this. 7/
6. It was absolutely CRITICAL for the public trust that @FBI tried to remove the C2 using more traditional means first (e.g. contacting victims through ISPs). But we all know there will eventually be a case where exigent circumstances takes over and waiting won't be an option. 8/
I implore @FBI to publish a framework for when that will be necessary. Get public feedback. Listen.

Sure, some will claim publishing the framework for what constitutes exigent circumstances will "give our playbook to the enemy." My friends, public trust is FAR more important 9/
I could keep going, but I'll close it out here. Bravo to the @FBI for it's work in drop kicking it to the Russians when they absolutely need points of presence for cyber operations, particularly in the US. /FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

Jake Williams Profile picture
Apr 2
If you were starting a CTI program from the ground up at a new organization, what's the first thing you'd do?
I wasn't poisoning the well with an answer yesterday, but here we go:
1. Identify the *real* stakeholders (often harder than it seems) - who is my executive sponsor? What do *they* care about?
2. Ask what types of products they will find valuable. 1/
3. Create a formal charter documenting what my left and right limits of fire are (scoping the project)
4. Get the executive sponsor to agree to the charter (or adjust it until they do)
5. Work with stakeholders to determine PIRs
6. Document all PIRs 2/
Read 7 tweets
Jake Williams Profile picture
Mar 28
Quick 🧵on APT vs EDR (and other security tools): Advanced threat actors likely have more seat time evaluating your EDR than you do. They know what it catches in a default state - and more importantly, what it doesn't catch.

This means custom detections are CRITICAL. 1/
But lots of orgs don't want to take on the overhead of custom detections, usually because they think the vendor ruleset is good enough.

The vendor ruleset is good at detecting lots of stuff across a variety of environments with minimal false positives. Focus on the last part. 2/
Vendors generally won't deploy rules that could be helpful to you but will create false positives in other environments.

They may lose a contract for a missed detection. They will definitely lose contracts over denial of service condition. For them, this is just business. 3/
Read 5 tweets
Jake Williams Profile picture
Mar 24
Let's decompose the comms from Okta about its compromise from the perspective of an incident responder and someone who has worked numerous incidents with third parties involved.

First, let's acknowledge that Okta itself is a victim. 1/
okta.com/au/blog/2022/0…
As such, this isn't meant to target Okta for being a victim. It's to discuss how things were handled *after* it became clear that had been a compromise at a third-party servicer.

Some are making hay about Okta using a third-party servicer as if that itself is a big deal. 2/
My first thought there was "no big deal." Realistically, any organization the size of Okta must have good contracting and oversight of third parties in place. That would certainly include incident reporting from third parties.

Now seeing the timeline details, I was wrong. 3/
Read 12 tweets
Jake Williams Profile picture
Mar 17
My friends, you cannot "automate cyber threat intelligence." Anyone claiming you can is selling you something, doesn't understand what CTI really is, or possibly both.

You CAN automate some CTI functions to provide the analyst higher quality data, but you still need people. 1/
This should make sense. True machine cognition just isn't something that exists today. Maybe it never will. So we're left with algorithms. And those algorithms are known to your adversaries. At least they are for any tool you buy (if you can buy/acquire it they can too). 2/
Big US intelligence agencies have CTI analysts. Why? Because it can't be fully automated.

Oh, and one more thing: buying a threat feed is not "doing CTI" and using your EDR to search for IOCs from a feed is NOT threat hunting. Sorry if that hurts, but it's the truth. 3/
Read 6 tweets
Jake Williams Profile picture
Feb 27
As we gear up for Monday after seeing a weekend of conflict, nothing has changed in my assessment of the likelihood of Russian government-led destructive cyberattacks against US or EU commercial infrastructure. The risk remains low.

Russian cyber operators are too busy. 1/
By every account, Russia is not performing the way it expected to in Ukraine. Other countries are offering lethal aid (finally) to Ukraine. There's reporting that Putin has replaced key military leadership. Kosovo is asking for a permanent US base. 2/
reuters.com/world/europe/k…
All of this means that Russian leadership needs intelligence. Lots of it. Without going further down that road, suffice it to say that unless your network provides game changing intelligence, you're probably not being targeted by Russian government cyber operators. 3/
Read 10 tweets
Jake Williams Profile picture
Feb 26
Quick thread about why action like this is counterproductive if you're not working with a government:
This is a weapons supplier in Belarus. You'll probably remember that Belarus was used as a staging ground for the Ukrainian invasion, they're not exactly neutral. 1/
They are seen as so pivotal in this conflict that there are new sanctions being considered targeting Belarus as a result of its involvement.

Simultaneously, it's being reported that Russia did not expect this level of resistance and will need more weapons and supplies. 2/
It's not hard to see why Tetraedr would be a key intelligence target. It's not much of a leap to expect that one or more intelligence services have (had) access to the Tetraedr network for intelligence collection and possibly even later disruptive attacks if needed. 3/
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MalwareJake has new unrolls!

Check out other threads from @MalwareJake!

Read all threads by @MalwareJake

:(