Clarify something for new folks to
#CTI
, the sexy capabilities you think of from producers (government or commercial) are not exactly the same skills you need in a
#BlueTeam
#defender
role for CTI. Your org needs you to interpret it for them. That's important. Start there.
Can we agree that “learn Linux” is just dumb? It’s non-specific advice that isn’t helping junior folks. Learn what in Linux? Just be a Linux user? Deploy a web server? Deploy a tool? Same w/ “learn wireshark/Splunk/Snort/etc”. Tell new people actionable topics & skills to learn.
@klrgrz
Congratulations on the new opportunity and a big thank you from phamily! We’re proud to have another
#phiaalum
contributing significantly to the cyber community in a different capacity.
If I could only recommend one book for
#infosec
, I’d probably say this is it. The book includes a great introduction to intrusion analysis, incident response, and security operations planning.
#BlueTeam
#CTI
#RequiredReading
Showed little man some of the
@RealTryHackMe
challenges yesterday. This morning he asked if we could do some more so we signed him up with his own account and he’s working through the intro lessons.
When folks want to get into infosec and don’t know a direction, I generally point them towards Sec+ material. It covers a broad range of topics and is often a gatekeeper in hiring systems. I also point them to SANS Cyber Aces material.
Any specific go-to resources I’m missing?
I get this a lot from sysadmins and network engineers: "I want to get into infosec". Like, you're already there! Do your job to secure the network. sysadmins and network engineers have farrrrrr greater opportunity for security in their daily tasks than a SOC or a Sec Engineer.
Uncomfortable truth, you don't need to be working in a SOC to be in infosec. Network and Sysadmins do just as much infosec as your high paid security analysts. They directly implement security, from firewall rules to system configurations.
Be nice to your sysadmins.
Hey
#CTI
Twitter, what are the “must read” APT reports you assign to new analysts coming into the field? Mandiant’s APT1 report is an obvious choice. I’m also a big fan of Threat Connect’s “What’s in a Name Server” because it demonstrates infrastructure analysis well.
I’m trying to say this in the most non-hipster way possible:
I only want human curated threat Intel.
Automated feeds are killing the CTI community. Automation should be how we share, not how “Intel” is produced.
GWOT vets: unless you wore stars on your shoulders, this isn’t our failure. We did our part. Our tactical success can’t be taken away. Our losses matter too. This is a strategic failure and doesn’t reflect on our service at all. I’m proud to have served with every one of you. 💙
I’ve done a lot of projects in my time, but this one I’m most proud of because my son (16) did a lot of the work with me. Not just “hand me that tool” stuff. He picked boards, measured & cut, and installed them. We both put some sweat equity into this one- thankfully no blood!
Cyber threat intel - learn SOC/IR processes. Your SOC is your collection, understand their visibility & how to exploit the data from their tools. The job isn’t reading threat reports. It’s about being able to apply them to your network & write them from your own collection.
what is your profession within the cybersecurity field (or IT field!) and what is your most helpful tip for those who are trying to level up to where you are at?
I think blue team needs to learn from red team and start asking for scoping documents from management. Fill out this form: “What systems do you expect us to monitor AND what is our authority to configure/manage them?”
The GoldiLocks CTI Program idea has rattled around in my head for like two years... it's been turned down for multiple cons, so you'd think it would stop burning a hole in my brain eventually, but noooo... so I finally wrote it down. Enjoy, I guess.
I don’t think my kid’s generation understands the beauty of having parents that also play video games
Kids: just let me finish this round first
Me: of course
My parents 20 years ago: turn that shit off now!
Apparently my talking point “threat hunting isn’t proactive” struck a nerve today. Let me explain…
You’re not “creating or controlling a situation by causing something to happen”. You are finding evidence of activity after it happened, that is reactive. It just feels proactive
Threat assessments are nearly useless without considering a specific target/victim. For governments & large corporations, China is probably the bigger threat. For most businesses, it ain’t APTs at all, it’s cybercrime w/ ransomware leading that pack.
Want to see a crazy trade?
Yesterday, someone OPENED $SPLK 127 calls, for $22,000, expiring tomorrow.
Then today Cisco Systems $CSCO announced acquiring Splunk for $28B, $SPLK up 20%.
The contracts were $0.04 yesterday, now $18.30.
They exited today for a 45,650% return...
If you know a Marine, please read them all of the “Happy Birthday Marine” posts today. It’s their day, they shouldn’t have to struggle with reading the big words themselves.
PROTIP: Notepad++ has a bunch of cool native tools in the edit menu you should explore. I use this stuff multiple times a week.
The plugins system also has a bunch of useful tools others have built. Trust me, you're not the first person with your problem!
This actor should be behind bars, not given their own persona and super hero character. Seriously bad form that’s only going to encourage more larpers to do badness on nights and weekends.
Creating more Splunk dashboards isn’t helping anyone. Check the 500 your org already created and now ignore. Stop confusing activity with productivity.
This is a threat to watch. My concern is elevated because this variant is a more powerful AcidRain variant, covering more hardware and operating system types.
Also “set up a lab and play around!” Wut. We can give better guidance and point to better resources then “here are random words newbie, good luck on your own!”
Today is my last day with
@XForce
, after 2 amazing years. I am blessed by the friendships I’ve made & the cool projects we’ve worked on - like multiple reports exposing Russia’s capabilities & targeting of global allies (f!ck Putin!). I’m humbled to have led X-Force Threat Intel.
I picked up a bunch of new followers this week from a few different posts about infosec career stuff. Welcome. Just so we’re all clear, I’m also a complete dork and will do stupid stuff like this to make my wife cringe.
Aiden (14) is rehabbing an old Dell tower. He’s installed new RAM, a new SSD, and is currently making a bootable USB with Ubuntu. He runs his first successful Terminal command and says “I did it! I hack the things!” 😂
Hunting is probably the single most effective teacher for CTI analysts. You are forced to learn a lot and to eat your own dog food - you’re finally a consumer of your own intel product and you really get to test your understanding of threat actor capabilities.
As a combat veteran that spent two years in Baghdad, and as a Northern Virginia resident, it breaks my heart to see our nation’s capital set up like the damn Green Zone because of domestic threats. We have to be better than this.
In the Before Times, I had a tense conversation with a client about WFH.
Them: “if you’re not in the office, how do we know if you’re working.”
Me: “if your only measure of success is my butt in a seat, you have serious process issues.”
I think about that convo a lot still.
Just passed my final requirement for the
@SANS_EDU
Masters program!!! Seriously an awesome program, incredible coursework in every class, and amazing instructors. I’m going to miss my student advisor and the program!
Yep I’m
#hiring
- Mid/Senior SOC Analyst (2nd shift)
- ISSO
- All Source (Cyber) Analyst
All three require a TS clearance and are on-site in DC (no remote).
DMs open.
#infosecjobs
This guy never ceases to amaze me. Check out
@thecybermentor
's new course bundles. These deals are amazing and his courses are awesome. I recommend them for anyone in infosec.
Working out today in the garage...
Bella: wanna race?
Me: let me catch my breath
Bella: well daddy, I run and breathe at the same time. Its helpful.
#DFIRfit
#6yearOldPersonalTrainer
I’m trying to not freak out, but my son just told me that he’s signing up for a weightlifting class for PE and a cybersecurity program for his junior year of high school (next year!)
I am so damn excited for both decisions but don’t want to overreact 😂
I don’t know who needs to hear this, but the Downloads folder is not an acceptable method for knowledge management.
... Okay I needed to hear this as I deleted like six months worth of downloaded files.
@chadloder
Much like troops deploying, its important to separate support for the heroes from the politics that deploy them. (Not saying that you're doing this, but its an easy next step in logic).
I’m hiring a Detection Analyst to write & manage the signature, rules, & alert logic for a client in Northern Virginia or Raleigh NC. Currently remote w/ future on-site required (location matters). Requires Public Trust (we sponsor). PD up soon, DMs open.
#infosecjobs
#infosec
I love
#mentoring
people. But please give me some basic info if you reach out. Where are you coming from, where are you at, and where do you want to go? I can do a lot with that. I cant do much with "hey how do i cyberz"
#infosec
#threatintel
#careeradvice
#helpmehelpyou