Unpopular opinion: I don't like the interview question "What do you do to improve your cybersecurity skills outside of work?" If anyone asks me this, in protest, I will answer "Sit on my ass and watch Netflix and eat cookies so I can come back the next day and crush it."
New blog post and start of a series! I know it's tough to get started in
#CTI
, especially if you don't have $ for formal training. I'm sharing a self-study plan that brings together links to free resources and a couple questions to consider for key topics.
This is an *extremely* cool reference from
@CISAgov
that breaks down the cost, impact, and complexity of implementing different security controls...plus TTPs addressed. This is awesome because it helps orgs prioritize! (h/t
@MSAdministrator
)
Today in my latest post, I share my top 10 recommendations for free resources to check out if you're getting started in
#threatintel
. I mixed it up with well-known classics as well as some lesser-known and newer sources - it was tough to choose just a few!
🍾 because I got the news that I am now a
@SANSInstitute
Certified Instructor! Taking a moment to celebrate even in tough times. This has been one of the most difficult yet rewarding challenges I've tackled. I wouldn't be here without the support of a LOT of people... (1/n)
The long-awaited Part 2 of my CTI self study plan is here! This one covers OSINT, pivoting, clustering/naming groups, and attribution. Enjoy!
#ThreatIntelligence
#CTI
If it's not actionable, it's not intelligence. Yes, we should watch what's happening in Ukraine and orgs should prepare appropriately. However, vague warnings like "prepare for cyber attack!" aren't helpful. Here's what I recommend doing: 1. Go find your incident response plans.
How do you prevent a ransomware attack? Our new content breaks down how the CERT NZ Critical Controls can help you stop a ransomware attack with a defence-in-depth application. See it here:
I have bittersweet news: today was my last day with MITRE, and tomorrow I start as a Principal Intelligence Analyst with
@redcanaryco
. It's really tough to leave my MITRE teammates, but I'm excited to join the awesome team at Red Canary! (1/n)
JUST PUBLISHED. Today, we wrote a blog post about an incident this month where we saw Bazar + Cobalt Strike. We took action to help a medical center avoid a
#Ryuk
#ransomware
outbreak. We're sharing analytics that worked for us - we hope they help you too.
Remember how I was yelling about patching to log4j 2.15 and how we couldn't be friends if you didn't?
That, but now please patch to 2.16. 😬
(New patch fully disables JNDI and removes support for Message Lookups)
Someone asked me today about all the different jobs in cybersecurity and I rattled off 20+. Does anyone have a good resource describing potential jobs in cybersecurity or information security? I feel like I've seen a few resources around, but can't find them at the moment.
Overnight, there was a *third* Log4j vulnerability released, CVE-2021-45105:
Version 2.17.0 is now the most recent version that addresses all three vulnerabilities. I'm sorry.
Excellent new post on
#DarkSide
from
@FireEye
- lots of actionable detail here, thank you to the team! The good news is looking for a lot of these behaviors and tools will help you catch much more than just DarkSide.
I have some exciting news - I am a Senior Fellow with the Atlantic Council's Cyber Statecraft Initiative! Thank you to the
@CyberStatecraft
for the opportunity. I'm excited to help bridge policy & practice...while working with very smart people!
It's an honor to be recognized as a 2020 Difference Maker! I'm grateful that I've made some small difference in such a rough year. I couldn't do any of this without this awesome community (that's you!) and my amazing teammates and mentors. Congrats to all the other winners!
New blog post! I'm often asked about getting started in
#threatintel
, so I compiled my perspectives. Featuring career paths from
@selenalarson
,
@chriscochrcyber
, and
@ForensicITGuy
. What other questions should I answer? What different views do you have?
What an honor to win the Security Changemaker award at the
@msftsecurity
Excellence Awards! Thank you all for being part of changing this community for the better, and I'm grateful to play a small role in that. ♥️
#RSAC
I have some REALLY exciting news... this year's
#CTISummit
is FREE!!!!!! You can get more info and register here: , and don't forget our CFP is open - please submit your awesome talks!
#threatintel
#CTI
#threatintelligence
Today we are releasing a new annual report highlighting
#cybersecurity
trends We have observed at Microsoft during the past year. More on Microsoft’s Digital Defense Report in my blog:
A friend recently applied to a job posting that had a bunch of check boxes for skills. She fit all but one so didn't check it...and was auto-rejected, though she was qualified. She emailed them to nicely say "WTF?" and now has an interview. Lesson: be persistent + follow up!
An awesome young red teamer taking the OSCP asked a question that struck me: "If burnout is such a tough problem in the tech field, and especially security, why does
@offsectraining
push for this long, grueling, day-and-a-half-long exam?" Thoughts? I think he's right.
The FBI and our partners also announced the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, a Russian national who allegedly launched Sodinokibi/REvil
#ransomware
attacks against multiple victims.
I'm usually positive on Twitter, but I feel like I need to be honest about how it sometimes sucks to be a woman, especially in this field. I occasionally feel like guys are creepy toward me. Borderline stuff, not assault/anything blatant, but enough to make me uncomfortable.(1/n)
This month, I did things I was scared to do:
✔️ Left a team I love and a job I was great at
✔️ Started a new job where there's a lot I don't know
✔️ Gave a prezo in my new role
✔️ Taught in another country
✔️ Created a new workshop I wasn't sure would work
➡️ I MADE IT!!!! (1/2)
Intelligence teams have a superpower. We don't just say "you should do this", we get to say "you should do this BECAUSE...." This makes a big difference. "You should look for adfind because ransomware operators have used it for discovery" is more powerful than "Look for adfind".
The 2023
@redcanary
Threat Detection Report is here! I'm very proud of our team for producing this report. Check it out, I hope you'll find actionable takeaways for your team!
Note that
@CISAgov
updated their bulletin today: . New info includes what I highlighted below and some new mitigations. The challenge I'm seeing for analysts now is keeping up with changes. An ask for all: please highlight and share any changes to products.
Uhh...just no. I haven't spent years coaching myself to be more direct just to have a random graphic I see on Twitter undo all that work. It's fine to be direct. If I say "Per my last email" I'm probably pissed, and you should know that.
NICKEL has targeted and compromised government organizations, diplomatic entities, and NGOs across 29 countries, largely in Latin America and Europe. MSTIC analysis, IOCs, detections and hunting queries for this China-based actor all in MSTIC’s new blog:
I know a lot of excellent people are looking for jobs right now. We have several openings at
@redcanary
, including my peer, Senior Director of Detection Engineering, and a Threat Hunter on a team I lead. I hope you'll consider applying or sharing.
"I'm speaking." What every woman who has every been spoken over wants to say with the force
@KamalaHarris
just had. (Without being called any gendered insults...)
I saw some outstanding presentations at Derby, as well as some good ones that could have been outstanding with a few tweaks. Here's a quick thread on major things I saw.
#1
. Bigger fonts. Aim for at LEAST 20 point, but ideally larger. If you're doing demos, use a zoom tool. (1/n)
I think this question perpetuates the unhealthy notion that we're expected to work all the time. Sure, I work a little on nights/weekends if I feel like it. But this shouldn't be expected. Some people can't do this. You can show passion DURING WORK HOURS.
There's a lot wrong with this piece by
@allengwinn
, but this part is particularly egregious. Everyone makes mistakes, and every org has security incidents. Good luck hiring anyone, because people matching this description don't exist.
Just a little Friday reminder that being a woman on the internet is awesome. 🤣 Good thing my appearance has zero impact on my thoughts on ransomware, huh? If you get comments like these, know that we all do. Ignore the noise, and keep being you.
How I try to approach cyber news as a CTI analyst:
1️⃣ Is the source reliable? If no, skim and move on.
2️⃣ Is it actionable for my consumers? If no, skim and move on.
3️⃣ Are my consumers asking about it? If yes, explain 1️⃣ and 2️⃣ and move on. We have a lot of other work to do.
I said it on
@riskybusiness
and I'll say it again:
@CISAKrebs
is awesome. He has the kind of character I endeavor to have. Speaking truth to power is a quality we should be so lucky to have in all public servants. Thanks for all you've done for the nation and community, Chris.
My boss said something useful to me: I'd rather have you do 100 things over the next few months than burn yourself out doing 20 things today. You can accomplish MORE over time if you stay at a manageable pace for you!
Good tips for dealing w burnout!
I’d add:
🔥Take an actual whole lunch hour away from work
🔥Treating work like a marathon vs sprint cause in my experience InfoSec is like rolling that rock uphill repeatedly...forever.
Precision of language is important. A vulnerability is a weakness that has to be exploited by a threat. You don't detect vulnerabilities - you detect the threats that exploit them.
Yes, the Conti leaks are interesting and analysts should look at them. But remember we don't know if the info was altered before leaking or if it's completely accurate. Intel analysts consider multiple sources before reaching an assessment. I highly recommend that approach.
Intrusions happen to everyone. This is a tough day for any company. Thinking of you
@FireEye
and
@Mandiant
folks! Hang in there and keep fighting the good fight.
Reminder: atomic indicators like hashes often aren't the best for detecting ransomware, esp in early stages. Behavioral analytics work. My teammates outlined a few approaches to catch common file exfil tools here: .
In threat intel, I see a lot of private critique of publicly-released blog posts and reports. Constructive criticism is important, but remember you're doing it from the cheap seats. It's easier to critique than it is to publish. Reach out to the authors to give them feedback!
A brief thread on the
@CrowdStrike
blog on SUNSPOT...as I read it. This confirms CrowdStrike was one of SolarWinds' IR firms, which we'd heard rumblings of before.
Well that's a new phishing style I haven't seen before... (Please don't visit this link unless you're a malware analyst on a VM!) I just got notification I was added to a "Removal Notice" list by "Twitter". Sure Jan.
This is interesting research that's worth reading. I'd encourage readers to also consider what's NOT here - these groups didn't use LLMs to make new malware or find zero-days. They used them to help research and write scripts. I'm not panicking about this...
Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. Learn more:
We have new members on the Cyber Safety Review Board (CSRB). We thank the outgoing members for their work and look forward to inviting four new members. Learn more:
Compromises happen to everyone, and it's how you respond that matters. Nice work to
@TalosSecurity
for sharing a detailed blog post on what happened during their incident: - along with a clear statement:
I often cite the stat that women make up only 11% of the
#infosec
workforce. But it becomes so real when I'm constantly the only woman in the room. I adore my male colleagues, but this has got to change for the good of the industry. Let's do this.
#womenintech
#bethechange
With the heat index over 100 degrees, it's a great day to dive into
@megan_roddie
's new book! I love to see threat severity as part of the triage process. 🔥Threat Intelligence + Detection Engineering = ❤️!
I started a blog! For my first post, I share my thoughts on how I got out of my own way to find my voice. Enjoy, and stay tuned for future posts, including (fingers crossed) the cyber indictments list I keep meaning to put together.
This is cool. I like that
@CISAgov
regularly recommends private sector blogs. For a long time the US government suffered from "not invented here" syndrome, and I'm happy to see signs of change.
I don't know about y'all, but wow, I'm tired! It's been a long week/month/year. I try to be polite and understanding, but sometimes I fall short. I'm trying to remember that we are collectively EXHAUSTED before responding to people, especially on Twitter. Hang in there, everyone.
Impostor syndrome mitigation of the day: when you kick ass at something, write it down. Next time you're flipping out about how you suck and know nothing, consult your "why I kick ass" list. Having raw data can help the fight against your self-defeating brain.
#impostorsyndrome
As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment.
In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server. 5/n
Here's a thread of resources where you can get up to speed on SCATTERED SPIDER, UNC3944, Oktapus, and Muddled Libra. (which we KNOW are not exact overlaps, but we're doing the best we can, okay??!?) Starting with
@CrowdStrike
, good one from
@realparisi
I'm often asked how to go about starting a CTI team, so I wrote down a few high-level thoughts on what to consider. We also shared a few examples of how we've navigated these areas with our own
@redcanary
Intel Team as well. We hope this is helpful!
New blog from
@likethecoins
: While ingesting feeds of indicators or identifying state-sponsored adversaries can be part of your approach, cyber threat intelligence is a much broader field than any specific tool or data source.
The
@redcanary
2022 Threat Detection Report is here! We're sharing our insights into trends, threats, and techniques in the hopes it helps you improve your security posture. Don't forget to check out the playlist too!
A threat of thoughts + actionable detection ideas from the latest Microsoft
#Solorigate
post... ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I don't want to fangirl about
@HuntressLabs
too much, but I'm so grateful for their candid approach - this is what this community needs. Great webinar earlier today!
On my way to Singapore to teach
#FOR578
! One of the cool things about teaching is that I get to visit new places. I would love any recommendations on what I should see or do while there!
I am proud that I was part of the
#RansomwareTaskForce
that released a report on combating ransomware today. My thoughts are here: . And the report is here:
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our
#threatintel
grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Exciting news - there are new FREE
@MITREattack
training courses through
@cybraryIT
! The courses are totally free, and the optional certifications through
@MITREengenuity
have a fee. Congrats to the team on making this happen!
Nice to have support for what many have pointed out for a while. Your energy is better spent on patching known vulns + ensuring robust post-exploitation coverage as opposed to panicking about zero-days.
I'm so excited to speak at
@shmoocon
this Friday! I'm striving to share some useful info in addition to ranting *just a bit* about a topic I'm very passionate about. 😄 6 pm ET in the main room, and yes,
#ShmooCon
is usually live-streamed and recorded!
I'm very happy to see this blog post from
@FireEye
on naming actors! If you're wondering why the actor behind the the
#SolarWindsOrion
compromise is named UNC, read this.
Nice blog from
@datadoghq
on the OpenSSL vulnerability - their description and graphic helped me better understand how this works. (h/t
@ForensicITGuy
)
If you're still focusing on PrintNightmare, it's time to shift and look at this NOW. Multiple reports are coming out, leading to increasing confidence there is something bad happening here.
We are monitoring a REvil 'supply chain' attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.
Please don't retweet or trust random tweets from people on the Internet you don't know. (Including this one if you don't trust me.) Especially about threats exploiting
#log4j
. There's a lot of unverified junk that is just causing more fear, uncertainty, and doubt. NOT HELPFUL.
We released our
@redcanary
Threat Detection Report today! We hope it's useful to help you detect more adversaries. I wanted to highlight a couple things I'm excited about in a thread...
I don't know exactly how we handle this as a community. I do know when people like
@magpie2800
and
@chadloder
speak up, I feel like I'm not alone and it's not just me. If we show compassion and believe women, I think we can all help make this better. (5/5)
It's here! I'm proud of the whole team who worked for months on this report. I hope y'all find it helpful, it's full of threat analysis and recommendations to take action to improve your security posture!
The 2024 Threat Detection Report is out! Featuring actionable insights for the most prevalent cyber threats and ATT&CK techniques your security team is likely to encounter. Read the full report now:
I was uploading my photo to a bunch of Slacks and decided to finally upload my "new" headshot here...it's been a year since it was taken, but I look pretty much the same. 😂 Don't worry, I promise I'm the same person, even though I don't have a blue check mark. Cough. 😉
Thank you all so much for coming to my
#Shmoocon
talk on threat modeling! You can check out my slides (complete with references) here: . Thanks to
@heidishmoo
,
@gdead
, and the amazing
@Shmoocon
volunteer crew for having me and making this event possible!