Sabitlenmiş Tweet
Andrew Thompson
5.4K posts
Andrew Thompson
@ImposeCost
Head of Global Signals Operations @Google Threat Intelligence Group via @Mandiant acquisition. Posts are attributable to me—not my employer. Former @USMC.
United States Katılım Haziran 2017
1.5K Takip Edilen40.4K Takipçiler
Andrew Thompson retweetledi
🚨 The LABScon 2026 Call for Papers is officially OPEN!
🗓️ Deadline to submit: June 19, 2026
🔗 labscon.io <- find the button here
English
Andrew Thompson retweetledi
We conducted cyber evaluations of Claude Mythos Preview and found that it is the first model to complete an AISI cyber range end-to-end. 🧵
English
Andrew Thompson retweetledi
In 2023 the best models could barely complete beginner-level cyber tasks.
Today, our evaluation of Mythos Preview shows that it – and potentially future models – could be directed to autonomously compromise small, weakly defended, and vulnerable systems if given network access.
English
@skytaleSythe Yes. And it's somewhat rational when you think about competing priorities. There's always a fire to fight today, why are we talking about stuff that isn't necessarily the most impactful thing right now? Except if you don't make time to strategically address emerging threats....
English
@ImposeCost Welp - I brought this topic up to my GM. His response - “I know - I’ve passed it up the chain and I’ll pass it up again”.
This is code for it’s going to need to break bad enough to make the news before we take action 🫤.
English
Indications and Warnings. I remember the early I&W that enterprise extortion through encrypting data was going to be a thing. It's not that it was even conceptually new, but it was emerging. Then it exploded. When it exploded, we weren't ready. We were set up to do intrusion investigations into threat activity that at least WANTED to be stealthy end to end. The reality was that was a luxury, and that luxury vanished and firefighting began. It took a bit to adapt, but adaptation did happen.
Crisis inspires innovation. My only hope is that with the I&W happening right now, we collectively have the wisdom to do the evolutions necessary BEFORE the crisis reaches its full potential. This is in fact the value prop of intelligence that helps you anticipate and take action before a situation manifests or is fully involved.
English
It's funny that the debates are usually around boundaries and definitions of a given label and not necessarily around "maybe it's just whole different state nexus entity."
Reality is the big producers have vantage points into threat activity add different use cases that drive how people choose to cluster.
Also discussed is the reality that a single data point for one particular group may have a major significance given the characteristics of that particular cluster of related things than another. For example, groups that only use bespoke tools versus groups that use tools that are widely available.
There's other stuff to the game, but that's enough for now.
bbsz@blackbigswan
I was living in the world of "DPRK attribution is a mess" completely unaware, up to the last week, there's a "Russian traffer MacOS malware attribution is a mess" world too! It's such a different type of a mess, lovely. My high level observation right now is that what makes it so messy is extreme similarity on TTP (Social engineering, fake landing pages design, same affiliates deploying multiple types of campaigns using different MaaS) while extreme dissimilarity of binaries delivered (These chronically get 'wrong' signature names on VT too). With DPRK it is often enough to observe social engineering component (and its target) to quickly get a vibe of what specific boy(s) are responsible. That's like completely useless for RU-traffer stuff. Or, dunno, maybe I am already half-North Korean and we sync'd our cycles or something.
English
@ImposeCost Peeps should trust their tools as much as they trust their EDC being ready each time before heading out the door.
Those who doesn't press check probably don't verify their DFIR tools either.
English
Healthy reminder that "trusted tools" is a whole concept in digital forensics and incident response. Willi's a real pro. I remember discovering CyberChef couldn't handle big numbers. 🤪
Validate your tool's output!
Willi Ballenthin@williballenthin
Under the hood, we actually just run cyberchef.js within a JavaScript engine and bridge it to IDAPython. It’s a little gross, but it works well. As we developed test cases for all the operations, we found and reported 10 upstream bugs.
English
Andrew Thompson retweetledi
@ImposeCost I've actually got a webinar schedule next week on Apr 21 on the practitioner's use of LLMs (not the AI-embedded-in-the-tool) to enhance casework and not get sued or fired or both.
suspectbehindthekeyboard.com/offers/2QFz39F…
English
@OwlRadiant I think stopping the root causes of radicalization, addressing the conditions that enable them, etc should be the focus. People want to flippantly be like "well that's just how it's going to go" need to strongly consider the second and third order effects.
English
@ImposeCost Of course, accountability still due for those who *act* out in that manner, just speaking to the broader dynamic and the preventative context.
English
Anti-AI Terrorism — the emerging threat that people really should talk about more. Let me tell you, angry unemployed populations that are armed to the teeth...
English
@NickSmi59531224 Eco-terrorism is a thing already. I hope you're not sympathetic.
English
@ImposeCost Maybe, but in some cases being anti datacenter is kinda a good thing. There isnt enough love for nature and this is going to burn more
English
@gl0omsec It's not a vacuum. There's also noteworthy acts of terrorism against executives.
English
@ImposeCost it really is wild to talk about these incidents in a vacuum like we havent heard these ceos and many others basically be giddy about dooming everyone's future for years
English
This sort of stuff is easily predictable. It's not acceptable, but it is something leaders should be anticipating. If you're sitting in an ivory tower saying you're going to put everyone out of work and tough luck, you better hope your physical security is commensurate with the threat that gets created by a whole lot of unemployed people who hate you as a result...
Brooke Taylor@Brooketaylortv
#SCOOP: Sources share surveillance photo of suspect, 20-year-old Daniel Moreno-Gama. He’s accused of traveling from Spring, Texas to San Francisco to try and kill the OpenAi CEO and throw a Molotov cocktail at his house. Fox was here as FBI agents raided his home and my sources tell me he was found with an anti-Ai manifesto when he was arrested in San Francisco. The document had a list of other Ai executives with their names and addresses.
English
Andrew Thompson retweetledi
@ImposeCost Initially I’d hoped this would lead to more support to our peer humans, double checking their work and giving hints like the AI gets.
But now I suspect the humans will be leapfrogged and we’ll ultimately trust the computers like we do people today.
English
@ImposeCost Not directly, but I think the reports reviewed and submitted by the expert witness may be fully created by AI.
So it'll be a human voice, but AI-generated testimony.
English
Branching off from here, I am curious how AI in digital forensics is going to go. Someone out here has the answer I am sure. An AI Agent isn't likely going to be able to serve as an Expert Witness, right? That's the lead for the discussion.
Andrew Thompson@ImposeCost
Healthy reminder that "trusted tools" is a whole concept in digital forensics and incident response. Willi's a real pro. I remember discovering CyberChef couldn't handle big numbers. 🤪 Validate your tool's output!
English
Andrew Thompson retweetledi
A compelling case by @anton_chuvakin that vulnerability remediation can't keep pace with AI-accelerated exploit development.
Even with better prioritization, patching faster won't keep up, which is why I keep coming back to attack surface reduction. Shrink what needs patching in the first place by removing unnecessary systems, restricting exposure, and hardening what remains.
This is especially important for legacy environments. We can't just shrug and say "they're legacy." Those systems aren't going away on anyone's preferred timeline. Keeping them defensible takes focused energy to reduce exposure, add compensating measures, and steadily work toward retiring them (maybe, someday). These are multi-year efforts.
medium.com/anton-on-secur…
English
@MikeTalonNYC You think that an AI Agent will provide Expert Witness testimony in a court in 2-3 years? I seriously doubt that?
English
@ImposeCost I suspect we'll eventually get there, but thinking at least another 2-3 years before that happens.
English
@MikeTalonNYC Of course.
I'm curious about "forever human in the loop" work, because there's a real desire to remove human bottlenecks.
English
@ImposeCost Probably not, but using agents (and AI in general) to automate data gathering for analysis is probably a good place to start.
English