Director of Intel at @redcanary. SANS Certified Instructor for FOR578: CTI. Senior Fellow at @CyberStatecraft. She/her. Mastodon: @likethecoins@infosec.exchange
Feb 19, 2022 • 5 tweets • 2 min read
If it's not actionable, it's not intelligence. Yes, we should watch what's happening in Ukraine and orgs should prepare appropriately. However, vague warnings like "prepare for cyber attack!" aren't helpful. Here's what I recommend doing: 1. Go find your incident response plans.
2. Look at sources with helpful, actionable guidance like this @Mandiant guide: mandiant.com/resources/prot… and decide if you need to update your IR plans.
Jul 1, 2021 • 8 tweets • 3 min read
New report from NSA, CISA, FBI, and NCSC on a GRU brute force campaign media.defense.gov/2021/Jul/01/20…
Let's talk detection opportunities! Here a couple that stand out for me in their excellent TTPs table... reGeorg appears to be open source, so that's a good opportunity to dive into that and figure out how you'd detect it github.com/xl7dev/WebShel…
A brief thread on the @CrowdStrike blog on SUNSPOT...as I read it. This confirms CrowdStrike was one of SolarWinds' IR firms, which we'd heard rumblings of before.
Why do I talk about naming things so much? This is why! CrowdStrike DOES NOT CALL THE ADVERSARY A BEAR. They call this an activity cluster named StellarParticle. This is important. It's also important to note that this is a different name than Solorigate...
Jan 10, 2021 • 5 tweets • 2 min read
I've been trying to process the Capitol riots for days. @nytdavidbrooks' Friday commentary helped me work through what I feel. He noted how the Capitol is usually treated with reverence. That's how I acted when I was there. I spoke quietly and took time to reflect...
...on what the building and our democracy mean. To see rioters completely disregard and disrespect that disturbs me on a deep level. It felt like the low point of a slow decline of our democracy over the past 4 years. It felt surreal and like it wasn't the country I know & love.
Jan 10, 2021 • 8 tweets • 4 min read
Organizing thread! As I clean up my office, my latest project has been organizing stickers. Several got ruined because they were so disorganized. ☹️ I started with some drawer organizers I had, thinking they'd work...then I realized there was so much wasted space on the shelf!
I've been on a "drawer" kick, so I ordered another set of small drawers that I previously got to organize hardware/screws. Viola! So much better! I like to use dry erase markers first, then live with it for a bit before making permanent labels. Oversized stickers go on top.
Dec 23, 2020 • 19 tweets • 3 min read
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysisen.wikipedia.org/wiki/Nation_st…
Dec 18, 2020 • 14 tweets • 5 min read
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.
Dec 16, 2020 • 28 tweets • 16 min read
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-…
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Oct 28, 2020 • 19 tweets • 7 min read
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant@sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
Mar 11, 2020 • 8 tweets • 2 min read
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Dec 21, 2018 • 19 tweets • 8 min read
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.) (1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
Dec 21, 2018 • 14 tweets • 6 min read
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)