Discover and read the best of Twitter Threads about #NoEasyBreach

Most recents (3)

OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.

Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.

35/n
Read 6 tweets
In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.
A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many
However, trying to remove large numbers of implants and missing some, CURLing all of their C2 from your network, uploading several post-exploit backdoor samples to VT, discussing the intrusion in email, etc. - those are things that are more likely to elicit a response.
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!