Andrew Thompson
@ImposeCost
Followers
34,241
Following
1,336
Media
1,281
Statuses
12,744
Head of Research and Discovery @Mandiant / @GoogleCloud . Understanding and countering adversaries. Posts attributable to me—not my employer.
United States
Joined June 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#IanxSB19xTerry
• 272964 Tweets
#MOONLIGHT_MVTeaser
• 136185 Tweets
Rio Grande do Sul
• 116309 Tweets
Boeing
• 101794 Tweets
Suho
• 86184 Tweets
RPWP CONCEPT PHOTO 2
• 57854 Tweets
プロフェッショナル
• 56611 Tweets
joongdunk love workpoint
• 39527 Tweets
青山先生
• 29967 Tweets
عدنان البرش
• 26208 Tweets
#無責任でええじゃないかLOVE
• 25413 Tweets
Indonesia vs Irak
• 19379 Tweets
YOUNG K
• 16054 Tweets
VACHSS
• 14783 Tweets
I'm considering calling them "on-prem employees" versus "cloud employees" to see if that helps make things a little bit more clear to people who are struggling to grasp remote work. I want to see people make the argument that on-prem is better.
44
167
1K
Disable deleting browser history and InPrivateMode on Microsoft Edge on your children's computers with two registry edits.
27
102
705
This is a long time coming. 🇷🇺APT44: Unearthing Sandworm:
14
172
483
Why I like OSCP as a baseline certificate for roles in my team: to have it, you need a variety of skills that are useful in my line of work. You need:
a bit of networking
a bit of binary analysis
a bit of intrusion methodology
a bit of intrusion techniques
a bit of information…
25
30
419
I'm not saying this to be mean; I'm saying it to make you better. A lot of what you try to solve as a novel problem has already been solved, you just don't read enough.
24
53
404
The cyber security industry has done more to advance cyber criminal operations than it has to thwart them.
What's your unpopular cybersecurity opinion that gets a reaction like this?
381
86
471
28
28
355
The DPRK 🇰🇵 has one autonomous system and a very small amount of IPV4 addresses. It has no IPV6 address space.
9
55
342
Anomalous behavior is how a lot of novel intrusions are found. Cliff Stoll —also not a security professional — pursued a $0.75 anomaly and unveiled a foreign intelligence operation. There's a reason why curiosity and tenacity are good characteristics for this work. It is also why…
3
49
345
I remember SolarWinds. I remember my teammates working insane hours while some of you circled social media like a bunch of sharks with chum in the water; I also remember the people who showed support.
It's not that entities should be free of criticism; it's that you act like…
10
24
330
I know this doesn't impact any offensive security professionals, because they review every line of code before executing.
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
47
1K
3K
13
29
329
I'm hiring a Senior Researcher in the Netherlands to crush adversaries. Please retweet for reach.
This role will focus on Russian foreign intelligence threats with plenty of opportunities to pursue other priorities.
This role doesn't involve a lot of…
14
166
295
I'm looking for a highly technical threat researcher to join Adversary Operations' Advanced Research and Collection (ARC). This is a Mandiant Intelligence team.
ARC is the result of combining multiple teams from across the organization to explicitly focus on proactively
20
100
291
She is out of surgery; she did well; they did not detect cancer, which means she got to keep her ovaries, which is a big deal; she's heading to recovery. This is the best possible outcome given the circumstances.
Surgery day! I’m having a total hysterectomy for a tumor that is growing inside my uterus. Hopefully it is benign and recovery will be quick.
16
1
67
42
2
285
I'm an intelligence expert. I can teach you anything I need you to know about intelligence. This is why I am more focused on recruiting people with raw technical skills in the domains intelligence will be used to support.
I don't need someone to be able to recite Heuer. I need…
26
16
250
👏🏼The 👏🏼 U.S. 👏🏼 Government 👏🏼 Should 👏🏼 Be 👏🏼 Demanding 👏🏼 Heads 👏🏼 For 👏🏼 Ransoming 👏🏼 Health 👏🏼 Services 👏🏼.
15
39
249
If you look at the last identifiable hop from Russia into North Korea (188.43.225\.153), pull a the PTR record for it, you will get Korea-Posts-gw.transtelecom\.net. If you look for PTR records *.transtelecom.net, there's some interesting results for many other entities. 🎯
The DPRK 🇰🇵 has one autonomous system and a very small amount of IPV4 addresses. It has no IPV6 address space.
9
55
342
5
27
217
@DannyWArmstrong
@DefenceU
@Eminem
What's ridiculous is how Russia launched a war of their choosing and is getting turned into ground beef by shitposters.
4
5
206
"Don't do this manually; we will automate it."
Then the automation gets deprioritized; then the problem gets neglected; then one day you look at all the things that could have happened if you had not waited on that automation.
It is probably wise to ask to see the road map and…
10
13
207
If you're from a non-cyber related intelligence background, your focus will need to be on cyber, and I mean the basic fundamentals, and building upon them.
If you're from a non-intelligence cyber background, your focus will need to be on intelligence tradecraft, intelligence…
6
16
203
Google actually provides resume advice on their "How We Hire" page. While my personal blog on resume advice is entirely independent, it's nice to see many of the things are consistent. There's something to that.
3
60
203
My wife now has her A+, Network+, and Security+ and is neck deep in her degree program. She started from ground zero. Her next course involves nmap and Wireshark. That's so cool.
I'm proud of her. Brilliance in the basics. I'm pumped she's at a spot where we can start talking…
9
1
199
I'm going to be looking for a technical researcher to focus on Russian cyber threats with a primary emphasis on intrusion operations in the very near future. This won't be an entry level position, and I will expect you to be engaged like you're supporting a war effort. I will
5
67
173
I know people are job hunting. As a manager, I see a lot of resumes, and virtually all of them are not great. In the past I've done resume advice threads, but then I decided just to capture my thoughts in a blog: Flexing your ARMs for a better resume.
6
46
168
It isn't new or news, and it isn't that surprising. However, if you use Signal on your Desktop, your content including messages are stored on disk in an encrypted sqlite database. The key is stored in plaintext as well. If an attacker has access to that system, they have access
7
33
167
If you're a newcomer to a profession and you have aspirations to be in the top ten percent, you likely may have to work harder than your peers. It is really easy to read the thought leaders profess about chill work ethic, but I bet most of them busted their ass in the beginning…
7
33
163
The Cuckoos Egg by Cliff Stoll was way ahead of modern intrusion investigation and cyber threat intelligence. There's even a snippet in there about cyber extortion. This book came out in the 80s. I read it a couple years ago, but I wished I would have read it decades ago.
15
28
159
Who are you hiding from and why? Most of the people who are "OPSEC" obsessed on social media do not have good answers to these questions when pressed.
67
13
157
I would offer you a deviation from this take: stop trying to "solve" security and instead focus on increasing costs for adversaries in the most cost effective way for the defended entities.
There's no finish line in security; you're either winning, losing, or lost.
I think it's high time we stopped fucking around and pretending security is working. We've been getting high severity vulnerabilities every couple of days for the last 6-7 months it's not even funny anymore.
No amount of 100% coverage will save you. So let's get a grip and stop…
25
16
188
7
28
151
All of you nerds stop right now and go peruse this document. It will help you articulate to your bosses why they need to invest in security initiatives.
1
31
152
Please ensure that you amplify people's job hunts. No one is guaranteed their position in any organization; no amount of talent and work ethic will save you if your organization decides to go a different direction. Do for others what you hope would be done for you.
2
26
149
Men, do yourself a favor:
Don't attempt to conceal superficial things from your date. Anyone worth your time doesn't care about what kind of phone you have. If you get down selected for the type of phone you have, they did you a solid.
11
14
142
Mandiant Intelligence is pleased to bring you 🇰🇵APT43, a prolific cyber operator that supports the interests of the North Korean regime. We believe APT43 funds itself through cybercrime to support its primary mission of collecting foreign intelligence.
3
57
136
Yesterday I learned that airport on MacOS can be used to sniff 802.11 frames right out of the air in monitor mode without any after market equipment.
7
11
138
Attribution matters. I was still in the government, and I was attending a talk by Kevin Mandia. He was answering a question about whether attribution matters. He stuck to his guns that it did. I made the decision right there that I was going to go work for Mandiant. I don't say…
8
16
137
LinkedIn has some of the most lunatic cyber security takes I have ever seen.
Someone just said "most hacks are inside jobs." This has to be derived from people calling successful social engineering and other unwitting/accidental "insider threat" scenarios —another reason I hate…
22
10
136
You would think that I have read this frequently recommended book by
@KimZetter
, but I haven't. I've owned it for years but haven't made the time to dive in. I'll start today. Kim is a well respected and connected reporter who digs in. I've liked her other work, so I'm curious to…
12
9
132
I work remote, my team works remote, and we will keep working remote.
12
2
133
@DAlperovitch
I will argue the system has been this way for decades and the greatest Russian information operation has been convincing so many that they are stronger than they are.
6
9
128
Even in dream jobs, there's usually some aspect of the job that you don't like. That's what the money is for. I always referred to those things as eating your vegetables, and that phrase caught on.
That phrase means doing the things that are necessary for the health of the team…
8
20
128
My last combat deployment I was pretty spent, I deployed basically back to back to back to back etc between Iraq and Afghanistan. I knew the war was mismanaged; I knew I was testing fate. My daughter was born, and three days later I was on a plane headed a place I had already…
7
5
127
"Let me sell you all the cloud collaboration thingies that enable globally distributed teams to thrive."
"Now, get your ass back in the office, hippy."
2
5
125
Listen, there's people you interact with in offensive security twitter that perform work for enemies of the United States. Facts. Stop being so naive.
18
9
120
I'm going to beat this matter to death. Geographically dispersed organizations are inherently remote. If you tell me you cannot manage a remote or blended remote organization, what you are communicating to me is you cannot manage geographically dispersed organizations. That's a…
7
13
123
The overwhelming majority of adversaries that are relevant threats to the majority of organizations are using known and published tools and methodologies, but information security Twitter will go on a binge about the sophistication of apex actors that frankly are only relevant to…
12
29
121
My team sprinted the last twelve months and led a major transformation. I couldn't be more proud. Today, we begin another journey. I will be joining my team with and leading the Adversary Methods' Research and Discovery (RAD) team. Bringing these two teams together is a great…
13
4
122
I got confronted at RooCon over two things:
1) The fact that I'm unapologetically pro-United States and how that alienates some who otherwise like my commentary.
2) My takes on offensive security tool publishing.
Both were positive in my opinion. On the first, I get it, but I…
11
4
122
Everyone who lives in a place where you're not constantly worrying about a war breaking out should count your blessings.
3
13
111
Alright so now that she's made it full on public, we appreciate all the support we have received. Also, make sure you all make time for your health. 🙏🏼
Surgery day! I’m having a total hysterectomy for a tumor that is growing inside my uterus. Hopefully it is benign and recovery will be quick.
16
1
67
18
1
117
It's just fucking wild to me that Putin is a divisive partisan topic.
11
7
115
👇🏽 They didn't delete your data.
Very interesting - NCA says that whilst searching through seized servers of LockBit they found data belonging to some victims who had already paid the gang's ransom. So - more evidence that paying these criminals does not mean that your data is deleted as they promise.
15
141
515
7
24
114
I've been a long time advocate and defender of remote work, and I have no shortage of reasons for why. I had an epiphany recently though:
If you're a manager that cannot manage remote employees, how on earth do you expect to manage more complex, geographically distributed…
13
15
114
My wife read this as part of her book club; it was recommended by our friend and former neighbor who was cryptanalyst in the FBI. I'm going to read it today, because what
@cithomsec
described sounded good. Based on what she said, I am expecting investigation, cryptography,…
My wife's book club is becoming more like my book club apparently. 😂
Has anyone read this? What she's describing while scratching my back seems interesting. It was recommended by a former FBI Cryptanalyst friend.
She just asked me "have you heard of NetworkMiner?"
@netresec
😂…
3
1
29
6
13
114
It must be some iteration of the curse of knowledge bias, but it's highly prevalent in the information security and open source communities.
1
32
109
A lot of great people are losing their employment. I hate seeing it. No one is promised employment. No one is immune to the massive culling happening in industry. I have always sustained that attitude. My approach is stay focused on the mission, do not act insecure, control what
8
12
108
Numerous talks today discussing the lack of malware in intrusions. That means a lack of attributable binaries in the environment, where the activity that is malicious is less distinguishable from legitimate users. Defenders are forcing adversaries to operate this way, which is…
Welcome back from break!
@Big_Bad_W0lf_
and Mike Worley are up next to discuss disruptive activity by Sandworm. You can read more about it in their complementary blog:
#CYBERWARCON
1
9
33
6
18
108
We're suppose to be communicating about the cyber better than this by now:
"JPMorgan Chase fights off 45 billion hacking attempts each day"
21
12
107
*Has idea for C2*
*Begins Exploring*
*Wonders if anyone has tried*
*Finds a project*
*Clicks on the users homepage*
*Clicks on the users Twitter*
*Sees they follow my account*
*Sees they are Mandiant*
I can't make this up.
😂
3
7
106
I'm terms of priority, I'm highly skeptical of focusing detection on vulnerability exploitation. Post-exploitation is more consistent and will help you detect intrusions that involve zero day exploitation.
If you're already dominating post-exploitation (you probably aren't),
Shocker news but if you're building detections don't focus on the new an shiny as it probably won't affect you. Instead prioritize building the fundamental of detection such as renamed sys binaries, susp child processes, exec form susp locations, etc. These will help you forever
7
41
170
5
13
107
On a previous team I led, I set the expectation that to be promoted to a specific level, the person would need to rotate to each of our other teams as part of an existing rotation program. The reason was to ensure they had the diversity of experience to lead at the next level.
10
4
104
Banger from
@NicoleBeckwith
. I assign tasks to my leaders, and I encourage my team to assign tasks to me. It's actually a blessing, because that's one less thing I didn't have to write down. Also, management, leadership, and obstacle clearing is real work. 🫶🏼
Link to original…
7
14
105
Buddy, Edward Snowden sucks. If you still haven't figured that one out yet, keep working on it. 😂
7
8
103
It's not the first time I thought about this, but I expanded my thought today driving home:
The thing that makes elite organizations elite is high standards. You can in fact have a bunch of elite individuals—high performers, etc, but unless you have institutional high standards,…
11
10
103
I'm seeing studies linking hospital deaths to ransomware incidents. As I've said for years now, we should be physically hunting these perpetrators down, and not just with law enforcement. I want them to go to sleep every night concerned about being physically harmed.
9
16
101
Just like the government suffers from overclassification, the private sector suffers from over categorizing things TLP:RED.
Really, between two organizations, you should be sharing at TLP:AMBER+STRICT or lower. TLP:RED is individual point to point which is ridiculous for…
11
12
103
I know a lot of people are working on their resumes. These are my thoughts on how to make your resume stand out. Flexing your ARMs for a better resume.
3
15
100
Some big wisdom in this. Don't use this as an excuse to not do metrics; be more mindful about the limits of data, and also don't be imprisoned by it.
5
17
102
What are the hot command line tools that you believe are underrepresented out here? Binary Refinery is one that I feel is still lesser known. If you were like me hoping for a command line version of CyberChef, check this project out:
3
25
102
There has to be someone that will see this post that has a good answer: what programs teach things like data visualizations such as this. Like if you wanted to become well versed in the types of visualization tools, what would you pursue?
17
9
102
If you look at the post-exploitation methodologies and tools across most relevant intrusions, you can see trends and prioritize your countermeasures there. There's little point in trying to detect the latest ransomware. If it lands on your endpoints, you missed a lot precursors.
I really like this overview of an anatomy of a ransomware attack by
@uuallan
at
@BSidesMelbourne
🤩
2
24
125
1
18
101
It shouldn't be controversial to be anti-Hamas, but a lot of people are struggling with that right now. You can add whatever grievances you have with the Israeli government, but if you can't condemn Hamas, you should work on yourself until you can. Hamas needs to be erased.
7
5
96
Regular reminder that you should not assume that the work you and your colleagues do is visible. I struggle with this like anyone else.
Also, if you are working cross organizationally, and you are talking about that work, deliberately make the effort to name your conspirators.
5
14
100
Adversaries are focused on outcomes; the information security community is focused on novelty.
10
15
98
My wife agrees with my take from a decade ago: the Network+ examination is harder than the Security+ examination. I've seen people suggest that because they have Security+ they didn't/don't need to "waste their time" with Network+ and I disagree. Networking is the fundamentals.
20
4
95
She's doing great.
I’m being discharged from the hospital today. Feeling a little sore but not too bad. Can’t wait to sleep in my own bed.
2
1
41
5
0
96
I'm giving lots of takes this morning. Here's one more. Nothing you've done in computer land gives you the right to be shitty to other people. Your computer achievements aren't really that big of a deal in the grand scheme of things anyways. Check yourself.
3
17
94
Real talk, we need more non-nerds to learn nerd stuff, because the nerds continue to demonstrate they don't actually understand security.
21
7
92
I came from the business where it was expected that the enemy would get one over on you occasionally. Someone would get blown up or shot in the face.
Even though I've been in the private sector for almost seven years now, I'm still amazed at how unrealistically expectant people…
11
11
92
If you are one of the entities that had working exploits for CVE-2024-3400 and didn't publish, thank you, and I would love to highlight your organizations. I'm tracking
@TrustedSec
,
@GreyNoiseIO
(
@_mattata
)
@bishopfox
. Who else?
4
11
91
"This book is about how a third world country used the technology of the world's greatest power to dominate it economically and – perhaps – strategically as well." 🔥
9
15
90
If you attack and disrupt U.S. critical infrastructure, people should be physically coming for you. If it's not feasible to put you in a cell, then other means of permanent threat reduction.
This should not be a conversational statement, but people still have reservations about…
9
6
88
This is what I'm running these days.
On forward gripping rifles, I used a vertical foregrip for a bit in the early days. Then I adopted C-Clamp no foregrip attachment with a long barrel/long rail. Then I rocked a Magpul Angled Forgrip that was as far forward as possible (protruding off the rail a bit), because I was…
3
0
11
15
3
89
I believe this was the last check. A lot of good news personally and professionally yesterday. 🫶🏼
4
0
88
Managers need to be more creative in assessing candidates that lack a lot of position relevant experience. There's some characteristics of people that are indicative of a high performer regardless of what you point them at.
Some of my best hires were low experience hungry…
if hiring managers and HR started to realize that they should be hiring new cybersecurity talent based upon someone’s potential instead of solely examining their past, we wouldn’t have a near 3 million person shortage in the field
161
262
2K
8
11
85
Now someone has redefined APT as contractor and not government employees, which is awkward considering the history. Folks, stop making shit up.
17
10
86
I've mentioned this before, but I have a loosely held belief that threat-specific "experts" have a natural tendency to inflate the threat they specialize in.
How many people do you know put all that energy into a topic only to say "it's no big deal."
I don't look at them as…
11
10
85
Offensive Security folks: what vendors do you cite as having the best general offensive training. I know there's more niche courses that are broken out into discrete packages. You can cite those too, such as "for exploitation of *specific things*, vendor."
For general purpose,…
14
12
84
I know a lot of people are looking for jobs right now. As a manager, I see a lot of resumes, and a lot of them would benefit from the advice I wrote here:
#infosecjobs
7
15
82