Author, counterspy, training and community lead @recordedfuture enabling security intelligence practitioners. Ally of blind and visually impaired community.
Mar 24, 2022 • 17 tweets • 6 min read
So how do you *prevent* #insider threats?
Short answer is you don’t
Long answer is you spend a lot of money…and still don’t
But you CAN monitor, identify, and react to insiders and insider-like threats #lapsus$
(🧵)
I worked counterintelligence from 2003 to 2016 with US military and civilian agencies. In that time, I investigated, taught, and helped build insider threat programs. One big lesson learned: insider threats are usually caught from the outside. But how?
Mar 22, 2022 • 16 tweets • 6 min read
LAPSUS$ is the group on everyone’s mind today, having just leaked data around a potential breach of #Okta, a widely-used SSO & identity provider. So let’s take some time to dive into #LAPSUS$, where they came from, how they’ve evolved, and how to defend against them.
LAPSUS$ appeared in only a few months ago, in December 2021. They appear to be Brazilian-based or affiliated, going off of their initial targets and the languages used on their Telegram channels
Mar 21, 2022 • 4 tweets • 1 min read
The problem if you’re USG is something like this: you have good information that attacks are imminent but not enough to prevent attacks outright. What do you do?
US intelligence likely based estimates on a wide variety of sources, such as spies, intercepted comms, even implants of their own. So you could KNOW the orders’ been given but not know specifics. Reading for nuance and details is key
Mar 21, 2022 • 16 tweets • 6 min read
Rumors that #lapsus$ ransomware group breached #Microsoft via an Azure DevOps panel posted to the group’s Telegram then subsequently taken down. Here’s a thread on the group operations, and how they seem to use #insider threat for access
Lapsus$ has been on a tear, with recent breaches at Ubisoft and NVIDIA, where the group stole them posted data including code-signing certificates wired.com/story/lapsus-h…
