I'm considering calling them "on-prem employees" versus "cloud employees" to see if that helps make things a little bit more clear to people who are struggling to grasp remote work. I want to see people make the argument that on-prem is better.
Why I like OSCP as a baseline certificate for roles in my team: to have it, you need a variety of skills that are useful in my line of work. You need:
a bit of networking
a bit of binary analysis
a bit of intrusion methodology
a bit of intrusion techniques
a bit of information…
I'm not saying this to be mean; I'm saying it to make you better. A lot of what you try to solve as a novel problem has already been solved, you just don't read enough.
Anomalous behavior is how a lot of novel intrusions are found. Cliff Stoll —also not a security professional — pursued a $0.75 anomaly and unveiled a foreign intelligence operation. There's a reason why curiosity and tenacity are good characteristics for this work. It is also why…
I remember SolarWinds. I remember my teammates working insane hours while some of you circled social media like a bunch of sharks with chum in the water; I also remember the people who showed support.
It's not that entities should be free of criticism; it's that you act like…
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
I'm hiring a Senior Researcher in the Netherlands to crush adversaries. Please retweet for reach.
This role will focus on Russian foreign intelligence threats with plenty of opportunities to pursue other priorities.
This role doesn't involve a lot of…
I'm looking for a highly technical threat researcher to join Adversary Operations' Advanced Research and Collection (ARC). This is a Mandiant Intelligence team.
ARC is the result of combining multiple teams from across the organization to explicitly focus on proactively
She is out of surgery; she did well; they did not detect cancer, which means she got to keep her ovaries, which is a big deal; she's heading to recovery. This is the best possible outcome given the circumstances.
I'm an intelligence expert. I can teach you anything I need you to know about intelligence. This is why I am more focused on recruiting people with raw technical skills in the domains intelligence will be used to support.
I don't need someone to be able to recite Heuer. I need…
If you look at the last identifiable hop from Russia into North Korea (188.43.225\.153), pull a the PTR record for it, you will get Korea-Posts-gw.transtelecom\.net. If you look for PTR records *.transtelecom.net, there's some interesting results for many other entities. 🎯
@DannyWArmstrong
@DefenceU
@Eminem
What's ridiculous is how Russia launched a war of their choosing and is getting turned into ground beef by shitposters.
"Don't do this manually; we will automate it."
Then the automation gets deprioritized; then the problem gets neglected; then one day you look at all the things that could have happened if you had not waited on that automation.
It is probably wise to ask to see the road map and…
If you're from a non-cyber related intelligence background, your focus will need to be on cyber, and I mean the basic fundamentals, and building upon them.
If you're from a non-intelligence cyber background, your focus will need to be on intelligence tradecraft, intelligence…
Google actually provides resume advice on their "How We Hire" page. While my personal blog on resume advice is entirely independent, it's nice to see many of the things are consistent. There's something to that.
My wife now has her A+, Network+, and Security+ and is neck deep in her degree program. She started from ground zero. Her next course involves nmap and Wireshark. That's so cool.
I'm proud of her. Brilliance in the basics. I'm pumped she's at a spot where we can start talking…
I'm going to be looking for a technical researcher to focus on Russian cyber threats with a primary emphasis on intrusion operations in the very near future. This won't be an entry level position, and I will expect you to be engaged like you're supporting a war effort. I will
I know people are job hunting. As a manager, I see a lot of resumes, and virtually all of them are not great. In the past I've done resume advice threads, but then I decided just to capture my thoughts in a blog: Flexing your ARMs for a better resume.
It isn't new or news, and it isn't that surprising. However, if you use Signal on your Desktop, your content including messages are stored on disk in an encrypted sqlite database. The key is stored in plaintext as well. If an attacker has access to that system, they have access
If you're a newcomer to a profession and you have aspirations to be in the top ten percent, you likely may have to work harder than your peers. It is really easy to read the thought leaders profess about chill work ethic, but I bet most of them busted their ass in the beginning…
The Cuckoos Egg by Cliff Stoll was way ahead of modern intrusion investigation and cyber threat intelligence. There's even a snippet in there about cyber extortion. This book came out in the 80s. I read it a couple years ago, but I wished I would have read it decades ago.
I would offer you a deviation from this take: stop trying to "solve" security and instead focus on increasing costs for adversaries in the most cost effective way for the defended entities.
There's no finish line in security; you're either winning, losing, or lost.
I think it's high time we stopped fucking around and pretending security is working. We've been getting high severity vulnerabilities every couple of days for the last 6-7 months it's not even funny anymore.
No amount of 100% coverage will save you. So let's get a grip and stop…
All of you nerds stop right now and go peruse this document. It will help you articulate to your bosses why they need to invest in security initiatives.
Please ensure that you amplify people's job hunts. No one is guaranteed their position in any organization; no amount of talent and work ethic will save you if your organization decides to go a different direction. Do for others what you hope would be done for you.
Men, do yourself a favor:
Don't attempt to conceal superficial things from your date. Anyone worth your time doesn't care about what kind of phone you have. If you get down selected for the type of phone you have, they did you a solid.
Mandiant Intelligence is pleased to bring you 🇰🇵APT43, a prolific cyber operator that supports the interests of the North Korean regime. We believe APT43 funds itself through cybercrime to support its primary mission of collecting foreign intelligence.
Attribution matters. I was still in the government, and I was attending a talk by Kevin Mandia. He was answering a question about whether attribution matters. He stuck to his guns that it did. I made the decision right there that I was going to go work for Mandiant. I don't say…
LinkedIn has some of the most lunatic cyber security takes I have ever seen.
Someone just said "most hacks are inside jobs." This has to be derived from people calling successful social engineering and other unwitting/accidental "insider threat" scenarios —another reason I hate…
You would think that I have read this frequently recommended book by
@KimZetter
, but I haven't. I've owned it for years but haven't made the time to dive in. I'll start today. Kim is a well respected and connected reporter who digs in. I've liked her other work, so I'm curious to…
@DAlperovitch
I will argue the system has been this way for decades and the greatest Russian information operation has been convincing so many that they are stronger than they are.
Even in dream jobs, there's usually some aspect of the job that you don't like. That's what the money is for. I always referred to those things as eating your vegetables, and that phrase caught on.
That phrase means doing the things that are necessary for the health of the team…
My last combat deployment I was pretty spent, I deployed basically back to back to back to back etc between Iraq and Afghanistan. I knew the war was mismanaged; I knew I was testing fate. My daughter was born, and three days later I was on a plane headed a place I had already…
"Let me sell you all the cloud collaboration thingies that enable globally distributed teams to thrive."
"Now, get your ass back in the office, hippy."
I'm going to beat this matter to death. Geographically dispersed organizations are inherently remote. If you tell me you cannot manage a remote or blended remote organization, what you are communicating to me is you cannot manage geographically dispersed organizations. That's a…
The overwhelming majority of adversaries that are relevant threats to the majority of organizations are using known and published tools and methodologies, but information security Twitter will go on a binge about the sophistication of apex actors that frankly are only relevant to…
My team sprinted the last twelve months and led a major transformation. I couldn't be more proud. Today, we begin another journey. I will be joining my team with and leading the Adversary Methods' Research and Discovery (RAD) team. Bringing these two teams together is a great…
I got confronted at RooCon over two things:
1) The fact that I'm unapologetically pro-United States and how that alienates some who otherwise like my commentary.
2) My takes on offensive security tool publishing.
Both were positive in my opinion. On the first, I get it, but I…
Alright so now that she's made it full on public, we appreciate all the support we have received. Also, make sure you all make time for your health. 🙏🏼
Very interesting - NCA says that whilst searching through seized servers of LockBit they found data belonging to some victims who had already paid the gang's ransom. So - more evidence that paying these criminals does not mean that your data is deleted as they promise.
I've been a long time advocate and defender of remote work, and I have no shortage of reasons for why. I had an epiphany recently though:
If you're a manager that cannot manage remote employees, how on earth do you expect to manage more complex, geographically distributed…
My wife read this as part of her book club; it was recommended by our friend and former neighbor who was cryptanalyst in the FBI. I'm going to read it today, because what
@cithomsec
described sounded good. Based on what she said, I am expecting investigation, cryptography,…
My wife's book club is becoming more like my book club apparently. 😂
Has anyone read this? What she's describing while scratching my back seems interesting. It was recommended by a former FBI Cryptanalyst friend.
She just asked me "have you heard of NetworkMiner?"
@netresec
😂…
A lot of great people are losing their employment. I hate seeing it. No one is promised employment. No one is immune to the massive culling happening in industry. I have always sustained that attitude. My approach is stay focused on the mission, do not act insecure, control what
Numerous talks today discussing the lack of malware in intrusions. That means a lack of attributable binaries in the environment, where the activity that is malicious is less distinguishable from legitimate users. Defenders are forcing adversaries to operate this way, which is…
Welcome back from break!
@Big_Bad_W0lf_
and Mike Worley are up next to discuss disruptive activity by Sandworm. You can read more about it in their complementary blog:
#CYBERWARCON
*Has idea for C2*
*Begins Exploring*
*Wonders if anyone has tried*
*Finds a project*
*Clicks on the users homepage*
*Clicks on the users Twitter*
*Sees they follow my account*
*Sees they are Mandiant*
I can't make this up.
😂
I'm terms of priority, I'm highly skeptical of focusing detection on vulnerability exploitation. Post-exploitation is more consistent and will help you detect intrusions that involve zero day exploitation.
If you're already dominating post-exploitation (you probably aren't),
Shocker news but if you're building detections don't focus on the new an shiny as it probably won't affect you. Instead prioritize building the fundamental of detection such as renamed sys binaries, susp child processes, exec form susp locations, etc. These will help you forever
On a previous team I led, I set the expectation that to be promoted to a specific level, the person would need to rotate to each of our other teams as part of an existing rotation program. The reason was to ensure they had the diversity of experience to lead at the next level.
Banger from
@NicoleBeckwith
. I assign tasks to my leaders, and I encourage my team to assign tasks to me. It's actually a blessing, because that's one less thing I didn't have to write down. Also, management, leadership, and obstacle clearing is real work. 🫶🏼
Link to original…
It's not the first time I thought about this, but I expanded my thought today driving home:
The thing that makes elite organizations elite is high standards. You can in fact have a bunch of elite individuals—high performers, etc, but unless you have institutional high standards,…
I'm seeing studies linking hospital deaths to ransomware incidents. As I've said for years now, we should be physically hunting these perpetrators down, and not just with law enforcement. I want them to go to sleep every night concerned about being physically harmed.
Just like the government suffers from overclassification, the private sector suffers from over categorizing things TLP:RED.
Really, between two organizations, you should be sharing at TLP:AMBER+STRICT or lower. TLP:RED is individual point to point which is ridiculous for…
I know a lot of people are working on their resumes. These are my thoughts on how to make your resume stand out. Flexing your ARMs for a better resume.
What are the hot command line tools that you believe are underrepresented out here? Binary Refinery is one that I feel is still lesser known. If you were like me hoping for a command line version of CyberChef, check this project out:
There has to be someone that will see this post that has a good answer: what programs teach things like data visualizations such as this. Like if you wanted to become well versed in the types of visualization tools, what would you pursue?
If you look at the post-exploitation methodologies and tools across most relevant intrusions, you can see trends and prioritize your countermeasures there. There's little point in trying to detect the latest ransomware. If it lands on your endpoints, you missed a lot precursors.
It shouldn't be controversial to be anti-Hamas, but a lot of people are struggling with that right now. You can add whatever grievances you have with the Israeli government, but if you can't condemn Hamas, you should work on yourself until you can. Hamas needs to be erased.
Regular reminder that you should not assume that the work you and your colleagues do is visible. I struggle with this like anyone else.
Also, if you are working cross organizationally, and you are talking about that work, deliberately make the effort to name your conspirators.
My wife agrees with my take from a decade ago: the Network+ examination is harder than the Security+ examination. I've seen people suggest that because they have Security+ they didn't/don't need to "waste their time" with Network+ and I disagree. Networking is the fundamentals.
I'm giving lots of takes this morning. Here's one more. Nothing you've done in computer land gives you the right to be shitty to other people. Your computer achievements aren't really that big of a deal in the grand scheme of things anyways. Check yourself.
I came from the business where it was expected that the enemy would get one over on you occasionally. Someone would get blown up or shot in the face.
Even though I've been in the private sector for almost seven years now, I'm still amazed at how unrealistically expectant people…
If you are one of the entities that had working exploits for CVE-2024-3400 and didn't publish, thank you, and I would love to highlight your organizations. I'm tracking
@TrustedSec
,
@GreyNoiseIO
(
@_mattata
)
@bishopfox
. Who else?
"This book is about how a third world country used the technology of the world's greatest power to dominate it economically and – perhaps – strategically as well." 🔥
If you attack and disrupt U.S. critical infrastructure, people should be physically coming for you. If it's not feasible to put you in a cell, then other means of permanent threat reduction.
This should not be a conversational statement, but people still have reservations about…
On forward gripping rifles, I used a vertical foregrip for a bit in the early days. Then I adopted C-Clamp no foregrip attachment with a long barrel/long rail. Then I rocked a Magpul Angled Forgrip that was as far forward as possible (protruding off the rail a bit), because I was…
Managers need to be more creative in assessing candidates that lack a lot of position relevant experience. There's some characteristics of people that are indicative of a high performer regardless of what you point them at.
Some of my best hires were low experience hungry…
if hiring managers and HR started to realize that they should be hiring new cybersecurity talent based upon someone’s potential instead of solely examining their past, we wouldn’t have a near 3 million person shortage in the field
I've mentioned this before, but I have a loosely held belief that threat-specific "experts" have a natural tendency to inflate the threat they specialize in.
How many people do you know put all that energy into a topic only to say "it's no big deal."
I don't look at them as…
Offensive Security folks: what vendors do you cite as having the best general offensive training. I know there's more niche courses that are broken out into discrete packages. You can cite those too, such as "for exploitation of *specific things*, vendor."
For general purpose,…
I know a lot of people are looking for jobs right now. As a manager, I see a lot of resumes, and a lot of them would benefit from the advice I wrote here:
#infosecjobs