Dave Bell

Red Team isn’t all shells and champagne. It’s long hours of analysis looking for that *one* flaw that gives you the access you need to move toward your objective. You’ll even obsess in your sleep, and the answer will hit you in the shower. Then, repeat!

.@Volexity shares #threatintel on how #StormBamboo compromised an ISP to conduct DNS poisoning attacks on targeted organizations & abuse insecure HTTP software updates, delivering custom malware on both macOS + Windows. Read the full analysis: volexity.com/blog/2024/08/0… #dfir

I was reminded of this today for no particular reason ;) James Mickens’ “Mossad/not-Mossad Duality” in threat models

If you're planning to be in Las Vegas next week and want to reconnect, let me know! Hope to see you there.

@ImposeCost I’ve heard this referred to as “malicious compliance”

@4n6ir Back on the day I actually had a campaign get caught using that technique lol

Why don’t I see more phishing attempts that send an obvious looking phish that actually spoofs the “report this as suspicious” phish reporter button and get the user to click that instead to submit creds? Reflexive control…

Our friends over at @redcanary are hiring! Their Intel Analyst role is a full-time #synapse enterprise user! jobs.lever.co/redcanary/bb7a…

Praetorian is hiring for another 3 red teamers at the lead+ level of experience. Have to be lead or above for this hiring round, no junior or senior for the red team until next quarter, but there are other open positions on our website. We filled 29 reqs in Q1 and are scaling quickly but sensibly. Our clients have mature environments, you won’t have an easy life; but if you like to be challenged, this is a good place for you. **I am slow in DMs, best apply via our website but drop me a note

@gdead Had that happen while boarding a plane. I’m surprised they let me stay on the flight lol

@jfslowik Still Counting by Volbeat ;)

OK #CTI nerds, you're presenting at a conference and you get to pick walk-up music (max 45 seconds) - what are you picking? Me? I'm going with the opening of Judas Priest's Nightcrawler (which I think I did for SANS CTI Summit in 2019?)

Special Advisor for Cyberspace Operations INSCOM | Serves as an Advisor to the Deputy Chief of Staff (DCS) G-2, the US Army Intelligence and Security Command (INSCOM) Commanding General and staff, and the Army Staff. Open: March 05 to 19, 2024, usajobs.gov/job/779918300

Honeypots, right?

@andrewshumate Besides me? lol yeah a few other folks definitely looked like the walking dead

Whose idea was this

Which sounds more realistic? “If we do a few strategic things we kneecap the attackers” “We can do all the things everywhere all at once, 365x24 forever.” It seems like focusing our limited resources where it matters would be better. 3

My friend Krypt3ia is still searching for a remote CTI role after being caught in the layoff cycle. He's got years of solid experience and technical chops - including LLM training. If you've got leads, ping me and I can pass them along or share his resume. RT for reach pls.

I always love paying the bill for search and rescue insurance…makes me feel like I’m planning an antarctic expedition or something

Golf RTO #VetJokes

It’s crazy how amazing you feel crossing the finish line…and then completely fall apart 30 seconds later

First, I want to compliment @Microsoft for being forthright with details. Some of the problems I see in this report, I SEE EVERYWHERE due to VULNERABLE DEFAULTS. Let's start with creating malicious OAuth applications. By default, ANY USER can create app registrations and consent to Graph permissions as well as sharing 3rd party company data. In tenants where this is hardened, ability to create app registrations require Application Administrator or Cloud-Application Administrator and admins must consent to permissions used by the application whether local or from another tenant.