Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Christopher Glyer Profile picture
Christopher Glyer
@cglyer
Microsoft Threat Intelligence Center - Former Incident Responder & Chief Security Architect @Mandiant
2 subscribers
Jul 19 13 tweets 3 min read
🧵on the ongoing outage caused by Crowdstrike content update. Insights here mostly based on my time working on/helping build a competitor product Mandiant Intelligent Response\HX

First & foremost this sucks for both Crowdstrike & their customers - no one wants to see this happen What happened? A security content update was released that caused the issue

Note: every security company pushes out content updates routinely. Depending on the architecture of software and type of update - each software vendor usually has unique processes for rolling these out
Sep 17, 2022 8 tweets 3 min read
One (potentially overlooked) aspect from today’s latest breach news is the recent trend of password stealer malware as the initial vector to gain access to orgs

See those “LOGID-“ files in screenshot? They are output files from password stealers (e.g RedLine, raccoon stealer) We discussed how DEV-0537/LAPSUS$ used this technique to gain initial access to a low privileged identity at targeted orgs in our ransomware ecosystem compendium
microsoft.com/security/blog/…
Mar 22, 2022 8 tweets 4 min read
The LAPSUS$ Group/DEV-0537 was not on my 2022 bingo card - given impact of their activities @MsftSecIntel wanted to detail unique blend of tradecraft. I've personally given dozens of threat briefings in the last few weeks

Here's a 🧵with my highlights
microsoft.com/security/blog/… They monetize intrusions (some of them) through extorting orgs to prevent public data release. Nowadays we associate that with ransomware gangs but this isn't a new trend

Reminds me of investigation I led at South Carolina Department of Revenue in 2012
oag.ca.gov/system/files/M…
Sep 16, 2021 12 tweets 6 min read
There’s a lot to unpack in @MsftSecIntel’s latest blog on the CVE-2021-40444 vulnerability. Here’s a thread of some of the details that I think are notable The volume of initial exploitation was limited. Most security orgs I talked to didn’t observe it directly in their telemetry

“In August…MSTIC identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML”
Oct 9, 2020 14 tweets 3 min read
This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control

The reasons are relatively straightforward: The cost to pay is often significantly less than cost to business impact from downtime

The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)

Monetization is also wayyyyy easier
Jul 25, 2020 12 tweets 3 min read
One of most undervalued aspects of incident response is incident documentation

In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈 Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often

This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation
Mar 26, 2020 20 tweets 7 min read
After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
Mar 25, 2020 13 tweets 6 min read
BREAKING: APT41 initiated a multi-month global campaign at over 75 @FireEye customers attempting to exploit Internet facing systems using recently released exploits for Citrix NetScaler/ADC, Cisco Routers & Zoho ManageEngine.

fireeye.com/blog/threat-re… I've been analyzing @FireEye's telemetry over the last few months for attempts to exploit CVE-2019-19781 (Citrix ADC) and this is the first campaign I was able to find and tie to a specific threat actor.
Jan 28, 2020 11 tweets 6 min read
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much... Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Jan 22, 2020 11 tweets 25 min read
BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc… @FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
Oct 9, 2019 91 tweets 67 min read
I’m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
Mar 12, 2019 4 tweets 1 min read
Here’s the thing about the US Defense Industrial Base. The average person thinks of the largest companies (BAE, Boeing, General Dynamics, Lockheed Martin, Northrop Grumman, Raytheon, SAIC...etc.) when we think of who builds the missiles/tanks/ships/airplanes/satellites.
1/n The reality is the large defense contractors have enormous supply chains of sub contractors and suppliers - many of which are small(er) businesses that don’t have the size/resources/security maturity to adequately protect the data - that the bigger defense contractors have
2/n
Dec 20, 2018 24 tweets 16 min read
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c… Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Oct 3, 2018 10 tweets 6 min read
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
Oct 3, 2018 7 tweets 4 min read
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Oct 3, 2018 5 tweets 3 min read
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit It's not often that you see ACI Shims used for persistence

#FireEyeSummit
Jul 18, 2018 8 tweets 3 min read
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Jul 18, 2018 18 tweets 5 min read
I've been thinking about the recent conspiracy theory of "where is the physical DNC server".



Here is a thread on the "missing" DNC server and my experience/advice from conducting similar investigations. First, some background for my comments. Over the last decade, I've personally led investigations at over 100 organizations & taught dozens of classes for both federal law enforcement and the private sector on incident response and digital forensics.
Dec 1, 2017 9 tweets 2 min read
Reading justice.gov/opa/pr/russian… today reminded me how I got my start in #DFIR in 2008 investigating FIN1. Let's take a walk down memory lane. FIN1 (in my experience) has had a few major periods of activity (2007-2009, 2011-2012, and 2014-2015) - each with their own distinct set of TTPs. They've significantly improved their capabilities over the years (even though multiple members have been arrested)