I'm looking at the Dropbox Sign incident 8-K disclosure.

They say there's no evidence of agreements being breached. Though, they mention that API Keys / OAuth tokens were accessed by a threat actor.

I'm just brainstorming, but here's some thoughts 🧵: I suspect this will be very difficult for them investigate.

Here's why: They likely have a bunch of IOC's from the breach itself. That's granted, they've discovered it, so they have some amount of visibility into the technicals of the attack. One would hope, at least.

I've been wanting to write this up for a bit, but I can probably put some notes here.

First, I've done day long tabletops, and 1hr tabletops. I can't say a whole day really gets you that much more than what you can compress into a short timeframe.

/1

https://twitter.com/__WhiPP__/status/1114218864789921792?s=20

I view pure tabletop exercises on the "left" side of a practice spectrum with red teaming on the "right" side. You can look at the middle as some amount of semi-simulation where you pull some tools out, chase some fake leads with a group, etc. /2

Here's how "SMS Intercept" works in practice. *Anyone* walks into *any* retail cellular store in the world, tells an employee to move *your* number to a new SIM.

The employee *verifies* that person. Your SMSs now go to a new phone.

That's just one way. Another way: Someone calls a phone company and says "I want to move my (read: *your*) number to this other carrier"

Your SMS's now go to a new phone.

That's one other way.