Anthony Randazzo Profile picture
Detection & response manager @expel_io. Interested in ☁️ threats. Previous @fireeye intel. LEGO enthusiast. Never finding good bourbon. Opinions mine.
Nov 23, 2020 5 tweets 3 min read
Mapped all of the Amazon GuardDuty Findings to @MITREattack. A bit more of an art than a science. Hopefully useful to some detection and response teams out there. See 🧵for more detail 👇 github.com/amrandazz/atta… There were a few discrepancies with existing Finding mappings and how I mapped them. I tried to document why I did what I did. Created image in @lucidchart and clearly not an artist (vdx available for those that are). Full res in GitHub with navigator json
Jul 7, 2020 9 tweets 2 min read
We spotted a new #AWS coin mining attack this weekend. Here's some of the interesting observations 🔎🔎🔎

📍Attacker had root access
📍Spun up 10 c5.4xlarge EC2s
📍Brought their own SSH keys 👀
📍Bot framework written in Golang

More tidbits 👇 It's entirely possible that the root access key was scraped and passed off to the bot to spin up miners right before this was detected, but didn't see any CLI, console or other interactive activity fortunately.
Apr 30, 2020 6 tweets 1 min read
A lot of people are intimidated by cloud security...that fear of the unknown. I used to be (and not long ago..) but it's actually not that complicated. Here's a few things to do to get started with #aws security from a blue team perspective 👇 Understand the basics. Learn the foundational services (EC2, VPC, RDS, EKS, Lambda)…AWS has tons of free training and documentation.