Jake Williams Profile picture
Jul 11 6 tweets 2 min read
Your airline pilot started in a single engine Cessna. Nobody called it gatekeeping. And before that, they learned lots of "mostly irrelevant" facts in ground training.

Cyber is one of the only fields where we pretend that skipping the basics is okay to put butts in seats. 1/4
Do you really want an incident responder that doesn't understand the implications of a "non-standard" subnet mask (whatever that actually means, don't get me started)? Sure, it's only like .1% of IR where that's relevant, but just highlighting an example. 2/4
I don't have the answers for "how much knowledge is enough" for a given task. But given the number and cost of ongoing security incidents, I suspect that if we don't answer the question, regulatory (read licensing) boards will answer for us. 3/4
What I know for sure is that most bootcamps and degree programs leave graduates woefully underprepared for their jobs.

Most SMBs hiring don't know this. How would they? They initially just trust the credential. This is why medical licensing became a thing. #foodForThought 4/4
Also, for the record I knew I was going to take fire for posting this.

I'm comfortable with that. It needs to be said.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

May 29
The new #msdt 0-day can be mitigated by removing the protocol handler for ms-msdt (reg delete hkcr\ms-msdt /f).

Disclaimer: I haven't checked for impacts in a large production environment, but seems better than being exploited. MSDT is just a diagnostic tool, so likely safe.
When I say "haven't tested" I mean for second order impacts. I've tested that this is 100% effective as a mitigation.
FYSA. I haven't seen this on my test system yet, but in any case I'm still okay recommending removing the handler until I have another mitigation. Considering there will likely be a patch for this released long before relicensing is required.
Read 4 tweets
May 29
Okay, so playing the #msdt 0-day a bit and here's what's happening:
1. The maldoc contains a linked HTML document
2. Word automatically retrieves the linked HTML document, which contains JS to reset the location to an ms-msdt protocol handler, which is present by default 1/
3. The protocol handler launches msdt, which launches a command using the IT_BrowseForFile parameter. The maldoc that triggered this whole event invokes this code (newlines and comments added). The doc was likely distributed with a .rar file. 2/
4. I don't have the ".rar" file, but we can still tell what it's doing. The findstr command is looking for "TVNDRgAAAA" which means it's looking for a base64 encoded string beginning with "MSCF" which is the file header for a .cab file.
5. The expand command unpacks the .cab 3/
Read 10 tweets
May 5
I've had a chance, or let's say many catalysts, to think about friendship and what it really means.

True friends:
* Take that call even when it's not convenient
* Don't judge, because let's be real - we've all been there
* Try to make you laugh even when you'd rather not 1/
* Don't view things as transactional (e.g., what am I getting out of this?)
* Just listen if you need to vent
* Tell you the hard truth you honestly don't want to hear, even when they know speaking truth can harm the relationship
* Exemplifies empathy

I could go on, but... 2/
I've certainly failed at many of these points over the years.

Going forward, I'll be trying to do all these things in my friendships. If I've failed you specifically, I'm deeply sorry. If you've been there for me, I'm eternally grateful. 3/
Read 5 tweets
May 4
In security, we talk a lot about CIA (confidentiality, integrity, and availability). Most of us also recognize the vast majority of the industry only cares about availability. When I call people on this, they always protest. This morning a great retort for this hit me. 1/
How often does IT refuse to update a security control (e.g. EDR agent) without testing because it might cause a compatibility issue (availability) and break something? Happens ALL THE TIME. "Can't upgrade until we test in every business unit for issues." 2/
But once the software is upgraded, how often do you see teams say "okay, now that we've updated, let's validate it's still catching everything we expect it to?" Almost never. We delay upgrades/updates, often increasing risk of a compromise to maximize availability. 3/
Read 7 tweets
Apr 15
PSA 🧵 A threat actor "preparing for destructive cyberattacks" looks identical to "gaining access for intelligence operations." Like 100% identical. So much so that you *cannot* tell the difference. Be wary of anyone claiming they "know" a destructive attack is being prepared. 1/
Be similarly skeptical of anyone who claims they're sure a destructive attack *isn't* coming in a given situation.

I heard one such argument because "we saw them exfiltrating data, it's intelligence collection." If they're burning the network down, of course they'd exfil. 2/
In fact, it's intuitive to think that bulk intelligence collection could even accelerate before a destructive attack. They won't likely regain access to these networks in the immediate future and there's no incentive to be low and slow at this point in most cases. 3/
Read 9 tweets
Apr 7
Quick 🧵on yesterday's FBI partial takedown of #CyclopsBlink.
1. Even for privacy types who fear government overreach (like me) this was a net positive. We should seek to degrade nation-state threat actor capabilities where it is possible to do so without collateral impact. 1/
2. The fact that WatchGuard assisted in the operation is critical. Obviously they have a vested interest in helping, but that's beside the point. It provides a level of private sector oversight that's often lacking in government operations. 2/
Now I'm mot an idiot. I know the FBI gets the final say in anything being done. But if they were abusing this access in any way during the op, there's a 1000% chance that will eventually leak given the private sector involvement. 3/
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(