@GoogleCloud @Mandiant #AdversaryMethods Lead. Former #AdvancedPractices Security Researcher, Technical Intel Analyst, IR Consultant, Security Architect/TPM.
Aug 12, 2018 • 9 tweets • 3 min read
In my experience, once an attacker is tipped off to a response, a few things can happen. What happens likely depends on where they are in their mission, mission priority, tolerance for being publicly identified, etc. It also likely depends on how badly they think they're burned.
A victim identifying a phishing doc or phishing backdoor doesn't necessarily mean the op is blown. In fact, it may give the victim a false confidence if they found the initial infection but didn't follow lateral movement. Same if an attacker loses a couple of implants out of many
Nov 10, 2017 • 13 tweets • 4 min read
Some observations about Russian #APT29, after dealing with them for years (my views, not my employer's):
#APT29 has used generic phishing emails, like "efax notification". They work on gullible users and hinder identification as targeted attack.