Jake Williams Profile picture
Breaker of software | GSE #150 | CTI/DFIR | @ians_security faculty | Bookings: jake at malwarejake dot com | He/him
Compuguy, See Pinned Tweet Profile picture Daniel O'Donnell Profile picture annamydlarz Profile picture TheNoirLoup Profile picture CharBAM Profile picture 6 subscribed
Sep 7, 2023 11 tweets 3 min read
Fantastic coverage of the Microsoft Storm-0558 post mortem from @lilyhnewman.

A few thoughts:
1. @msftsecurity is amazing. Investigations like this are amazingly complex and performed under pressure that few in the field will ever experience. 1/
wired.com/story/china-ba… And long before the investigation, there's the planning. Ensuring you have the data, with the retention, to perform an investigation like this doesn't happen by accident. It requires planning. And it also requires diplomacy. *Lots* of diplomacy. 2/
Jun 18, 2023 5 tweets 1 min read
If you're starting out in security and find the breadth of stuff you "need to know" daunting, I want to give you some perspective:
1. The field has broadened - dramatically. The "baseline knowledge" grows every year. Anyone saying otherwise is lying or uninformed. 1/ 2. You don't have to "know everything" to make a significant impact.
3. All the people you are looking up to now stand on the shoulders of giants, whether they admit it or not. I know I sure do.
4. Stop measuring yourself by what you don't know. You'll never know it all. 2/
Dec 5, 2022 5 tweets 2 min read
More notes: I'm aware of the CBS story stating that their experts reviewed a copy of the Biden laptop with no modification. I presume they received their copy from a different source, since their findings are inconsistent from mine and @matthew_d_green. 1/
cbsnews.com/news/hunter-bi… In the image I examined, it was clear from filesystem timestamps alone that files and folders had been opened and created long after it was abandoned at the shop. I'm confident any forensic analyst would see that, so it's easy to conclude we're looking at different evidence. 2/
Dec 3, 2022 12 tweets 3 min read
Regarding the Hunter Biden forensic analysis:
1. I personally am not a fan of the fact that it took so long to get an independent analysis of the data.
2. I wish the evidence had been made available, without strings, to reputable media organizations in 2020.
3. It wasn't. 1/n When political operatives shop evidence of a "bombshell story" weeks before an election, but dictate publication timelines as a condition of providing the evidence, skepticism is fully warranted.

Publishing without validation in that case is journalistic misconduct IMO. 2/
Jul 11, 2022 6 tweets 2 min read
Your airline pilot started in a single engine Cessna. Nobody called it gatekeeping. And before that, they learned lots of "mostly irrelevant" facts in ground training.

Cyber is one of the only fields where we pretend that skipping the basics is okay to put butts in seats. 1/4 Do you really want an incident responder that doesn't understand the implications of a "non-standard" subnet mask (whatever that actually means, don't get me started)? Sure, it's only like .1% of IR where that's relevant, but just highlighting an example. 2/4
May 29, 2022 4 tweets 2 min read
The new #msdt 0-day can be mitigated by removing the protocol handler for ms-msdt (reg delete hkcr\ms-msdt /f).

Disclaimer: I haven't checked for impacts in a large production environment, but seems better than being exploited. MSDT is just a diagnostic tool, so likely safe. When I say "haven't tested" I mean for second order impacts. I've tested that this is 100% effective as a mitigation.
May 29, 2022 10 tweets 4 min read
Okay, so playing the #msdt 0-day a bit and here's what's happening:
1. The maldoc contains a linked HTML document
2. Word automatically retrieves the linked HTML document, which contains JS to reset the location to an ms-msdt protocol handler, which is present by default 1/ 3. The protocol handler launches msdt, which launches a command using the IT_BrowseForFile parameter. The maldoc that triggered this whole event invokes this code (newlines and comments added). The doc was likely distributed with a .rar file. 2/
May 5, 2022 5 tweets 1 min read
I've had a chance, or let's say many catalysts, to think about friendship and what it really means.

True friends:
* Take that call even when it's not convenient
* Don't judge, because let's be real - we've all been there
* Try to make you laugh even when you'd rather not 1/ * Don't view things as transactional (e.g., what am I getting out of this?)
* Just listen if you need to vent
* Tell you the hard truth you honestly don't want to hear, even when they know speaking truth can harm the relationship
* Exemplifies empathy

I could go on, but... 2/
May 4, 2022 7 tweets 2 min read
In security, we talk a lot about CIA (confidentiality, integrity, and availability). Most of us also recognize the vast majority of the industry only cares about availability. When I call people on this, they always protest. This morning a great retort for this hit me. 1/ How often does IT refuse to update a security control (e.g. EDR agent) without testing because it might cause a compatibility issue (availability) and break something? Happens ALL THE TIME. "Can't upgrade until we test in every business unit for issues." 2/
Apr 15, 2022 9 tweets 2 min read
PSA 🧵 A threat actor "preparing for destructive cyberattacks" looks identical to "gaining access for intelligence operations." Like 100% identical. So much so that you *cannot* tell the difference. Be wary of anyone claiming they "know" a destructive attack is being prepared. 1/ Be similarly skeptical of anyone who claims they're sure a destructive attack *isn't* coming in a given situation.

I heard one such argument because "we saw them exfiltrating data, it's intelligence collection." If they're burning the network down, of course they'd exfil. 2/
Apr 7, 2022 10 tweets 4 min read
Quick 🧵on yesterday's FBI partial takedown of #CyclopsBlink.
1. Even for privacy types who fear government overreach (like me) this was a net positive. We should seek to degrade nation-state threat actor capabilities where it is possible to do so without collateral impact. 1/ 2. The fact that WatchGuard assisted in the operation is critical. Obviously they have a vested interest in helping, but that's beside the point. It provides a level of private sector oversight that's often lacking in government operations. 2/
Apr 2, 2022 7 tweets 1 min read
If you were starting a CTI program from the ground up at a new organization, what's the first thing you'd do? I wasn't poisoning the well with an answer yesterday, but here we go:
1. Identify the *real* stakeholders (often harder than it seems) - who is my executive sponsor? What do *they* care about?
2. Ask what types of products they will find valuable. 1/
Mar 28, 2022 5 tweets 1 min read
Quick 🧵on APT vs EDR (and other security tools): Advanced threat actors likely have more seat time evaluating your EDR than you do. They know what it catches in a default state - and more importantly, what it doesn't catch.

This means custom detections are CRITICAL. 1/ But lots of orgs don't want to take on the overhead of custom detections, usually because they think the vendor ruleset is good enough.

The vendor ruleset is good at detecting lots of stuff across a variety of environments with minimal false positives. Focus on the last part. 2/
Mar 24, 2022 12 tweets 3 min read
Let's decompose the comms from Okta about its compromise from the perspective of an incident responder and someone who has worked numerous incidents with third parties involved.

First, let's acknowledge that Okta itself is a victim. 1/
okta.com/au/blog/2022/0… As such, this isn't meant to target Okta for being a victim. It's to discuss how things were handled *after* it became clear that had been a compromise at a third-party servicer.

Some are making hay about Okta using a third-party servicer as if that itself is a big deal. 2/
Mar 17, 2022 6 tweets 1 min read
My friends, you cannot "automate cyber threat intelligence." Anyone claiming you can is selling you something, doesn't understand what CTI really is, or possibly both.

You CAN automate some CTI functions to provide the analyst higher quality data, but you still need people. 1/ This should make sense. True machine cognition just isn't something that exists today. Maybe it never will. So we're left with algorithms. And those algorithms are known to your adversaries. At least they are for any tool you buy (if you can buy/acquire it they can too). 2/
Feb 27, 2022 10 tweets 2 min read
As we gear up for Monday after seeing a weekend of conflict, nothing has changed in my assessment of the likelihood of Russian government-led destructive cyberattacks against US or EU commercial infrastructure. The risk remains low.

Russian cyber operators are too busy. 1/ By every account, Russia is not performing the way it expected to in Ukraine. Other countries are offering lethal aid (finally) to Ukraine. There's reporting that Putin has replaced key military leadership. Kosovo is asking for a permanent US base. 2/
reuters.com/world/europe/k…
Feb 26, 2022 9 tweets 2 min read
Quick thread about why action like this is counterproductive if you're not working with a government:
This is a weapons supplier in Belarus. You'll probably remember that Belarus was used as a staging ground for the Ukrainian invasion, they're not exactly neutral. 1/ They are seen as so pivotal in this conflict that there are new sanctions being considered targeting Belarus as a result of its involvement.

Simultaneously, it's being reported that Russia did not expect this level of resistance and will need more weapons and supplies. 2/
Feb 25, 2022 4 tweets 1 min read
Where are we at in the infosec community about restricting access to software, updates, SaaS, PaaS, etc. to Russian IP space? 1/4 As a corollary, should US/EU software providers actively enable cyber operators through malicious updates? Let me be clear I'm not advocating for this specifically, but I'm interested to know what others think. 2/4
Jan 20, 2022 9 tweets 2 min read
Quick public presenting tips:
* Know whether you're projecting or streaming and use appropriate slide templates for each. Dark backgrounds that look awesome streaming won't project worth a darn.
* Know your audience and connect with them using some common touch point 1/ * Plan less material than you think you'll need. It's FAR more common that you'll run long than run short. Even experienced presenters find themselves with too much material for the time allotted
* No eye chart screenshots if you intend for the audience to see something in it 2/
Sep 3, 2021 8 tweets 2 min read
A 🧵: This morning, I was in a @lyft when a car accelerated and made an aggressive last second lane change, cutting off my driver. My driver had to slam on the brakes and honked his horn. By the next light, it was obvious the dangerous driver was an off duty NYPD officer 1/ I know this because he changed lanes again and held back in his lane so he could be parallel to our car. The driver was an officer in uniform who was yelling and wildly gesticulating out the window at my driver. He was clearly pissed to say the least. 2/
Jul 22, 2021 8 tweets 2 min read
Given all the science denying, I mean "vaccine debates," I wanted to come clean about something:
At the beginning of the pandemic, I told my own daughter if they developed a vaccine in less than 12 months I'd be highly skeptical and probably wouldn't take it.

I regret that. 1/ A vaccine *was* developed rapidly and after looking at the science, it was undeniably safer than risking even an asymptomatic COVID case. Before anyone says "bah, you don't know the long-term risks of the vaccine" you're 100% right. Nobody does. 2/