Andrew Thompson Profile picture
May 25, 2018 5 tweets 4 min read Twitter logo Read on Twitter
#StateOfTheHack follow up. Thank you to everyone who tuned in, and we apologize for the technical difficulties and audio. We are going to get that figured out for future iterations. I wanted to follow up with indicators I talked about at the end to prove a point regarding #GDPR.:
My team develops sources and methods for pursuing adversaries across our customers networks, and beyond. We do not become reliant on a single source, nor do we allow the loss of a source to cripple our collection efforts. Loss of WHOIS information is not a deal breaker.
This is the domain I dropped in our #StateOfTheHack discussion today. The screenshot indicates we illuminated it on day zero of the adversary establishing it. The WHOIS information is privacy protected. However, we didn't discover the domain through registrant information.
Two days later, someone uploaded the associated QUADAGENT sample to VirusTotal. This is insightful, as we can assess the threat actor actions a target within 48 hours of establishing infrastructure. However, the real story is how our team is able to get ahead of a nation state.
Keep this in mind when you see other practitioners complaining about the loss of WHOIS information. Lose your dependency.
QUADAGENT: d672d2d1b822f22249c3cc1d74b2afee and www[.]rdppath[.]com #apt #iran #threatintel #fireeye #tore #advancedpractices #adversarypursuit

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Andrew Thompson

Andrew Thompson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ImposeCost

Sep 27, 2018
One analytical struggle in my life is whether a group executed poorly conceived tradecraft, or well executed deception. Deception is rarely discussed on the "threat intelligence" side of information security. Maybe folks are unfamiliar, or intimidated, I don't know. #threatintel
We're naive to think we cannot be deceived. Governments with seemingly infinite resources and elaborate espionage capabilities get deceived. It's a thing. I'll go further, there's plenty of regular intelligence analysts who rarely discuss deception. It probably scares them.
An entire field is dedicated to carefully misleading intelligence apparatuses. That means understanding your processes, requirements, and capabilities in order to craft essentially an illusion for you to consume. You may execute sound analysis and still be dead wrong.
Read 5 tweets
Sep 15, 2018
Systems should be built with the understanding that if a human is using them, their mistakes must be accounted for. I recently looked at evidence and said this is surely GROUP A. That didn't matter though, because of our systematic approach to analysis. Thread inbound.
Having a theory is fine. My theory at the time was not a fabrication nor bias. This was not even a set I am overly excited about. Once more information was collected and analyzed, and we expanded the aperture on why I thought it might be GROUP A, we discovered it wasn't.
Overwhelming evidence pointed me to accept an alternative. This actually made me feel great about the system we implement within our organization. No one was critical, because we executed the system and produced solid attribution. My initial theory was wrong, and that's alright.
Read 6 tweets
Sep 9, 2018
We have the 30th round of "I was a volunteer doing dirt for the U.S. government, and as such I'm very uncomfortable that I could be held accountable for my actions by a foreign government, so instead we shouldn't apply pressure to others to avoid the same." My thoughts below.
As Jake points out, there are a lot of government sanctioned activities that can end with the individual getting punished by the target if caught. He used the example of SOF conducting renditions abroad, but doesn't really get to the "they shouldn't be arrested" part.
Yes, if you kidnap someone, that is usually illegal, and if you get caught, you hope your government will exercise other forms of power to help you out, BUT you go into that operation with the understanding that you may be getting bent over by ISI for the next five years.
Read 11 tweets
Aug 26, 2018
While the reporter was trying to compare two groups of professionals in their respective trades, Scott gives us a reminder that no one is trying to kill you while you're scoping the extent of the intrusion.

Follow on thoughts below.
I've have the privilege of working with top professionals in combat arms and information security. "Elite" organizations typically have a higher concentration of top performers who are committed to excellence for themselves and those they work with.
I am privileged to work along side Mandiant. I specifically sought them out during my transition. I decided I could serve them better in Advanced Practices due to my background. They are consummate professionals. As Scott pointed out, they are also aware of what they aren't.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!