If it's not actionable, it's not intelligence. Yes, we should watch what's happening in Ukraine and orgs should prepare appropriately. However, vague warnings like "prepare for cyber attack!" aren't helpful. Here's what I recommend doing: 1. Go find your incident response plans. 2. Look at sources with helpful, actionable guidance like this @Mandiant guide: mandiant.com/resources/prot… and decide if you need to update your IR plans.

New report from NSA, CISA, FBI, and NCSC on a GRU brute force campaign media.defense.gov/2021/Jul/01/20… Let's talk detection opportunities! Here a couple that stand out for me in their excellent TTPs table... reGeorg appears to be open source, so that's a good opportunity to dive into that and figure out how you'd detect it github.com/xl7dev/WebShel…

Can't attend the #CTISummit live? Check out this thread of AMAZING graphic recordings by @mindseyeccf of various talks. Video recordings and slides will be available if you register here: sans.org/event/cyber-th… #CTISummit

A brief thread on the @CrowdStrike blog on SUNSPOT...as I read it. This confirms CrowdStrike was one of SolarWinds' IR firms, which we'd heard rumblings of before. Why do I talk about naming things so much? This is why! CrowdStrike DOES NOT CALL THE ADVERSARY A BEAR. They call this an activity cluster named StellarParticle. This is important. It's also important to note that this is a different name than Solorigate...

I've been trying to process the Capitol riots for days. @nytdavidbrooks' Friday commentary helped me work through what I feel. He noted how the Capitol is usually treated with reverence. That's how I acted when I was there. I spoke quietly and took time to reflect... ...on what the building and our democracy mean. To see rioters completely disregard and disrespect that disturbs me on a deep level. It felt like the low point of a slow decline of our democracy over the past 4 years. It felt surreal and like it wasn't the country I know & love.

Organizing thread! As I clean up my office, my latest project has been organizing stickers. Several got ruined because they were so disorganized. ☹️ I started with some drawer organizers I had, thinking they'd work...then I realized there was so much wasted space on the shelf! I've been on a "drawer" kick, so I ordered another set of small drawers that I previously got to organize hardware/screws. Viola! So much better! I like to use dry erase markers first, then live with it for a bit before making permanent labels. Oversized stickers go on top.

I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF. Nation states are not countries. CC @cnoanalysis en.wikipedia.org/wiki/Nation_st…

A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2. I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.

Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… .@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!

I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics Tracking Time to RYUK! This is a good metric to track as much as you can.

I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you? Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.

I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n) (2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)

I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n) They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)