Discover and read the best of Twitter Threads about #apt29
Most recents (2)
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.
#APT29 uses at least 3 types of backdoors: phishing, operational, persistence.
