BC TECH
Saved by @SteveeRogerr

For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/

 Threat hunting is all about finding anomalies that automated detection mechanisms don't find. That means manual anomaly detection, which sometimes means weeding out things that are normal. 2/
For example, let's say you discover a binary that runs in the middle of the night on a host and that's weird! So, you eventually search for the prevalence of that behavior and see it running on other hosts in that department. 3/
At the same time, you find this host talking to a weird internal system on an odd low port you haven't seen before. In this case, that behavior is nowhere else on the network. 4/
Eventually, you talk to an IT person or user in that department and find out the process is some special software they use and the weird system is a dedicated server for it, and it's all legit. Job's not done, though. 5/
Now, you gotta write that stuff down. It needs to be in a place where other analysts can quickly reference it, and even better, where you can reference it a year from now when you've long forgotten about it. 6/
In my hunting class, I teach folks how to take effective hunting notes and translate those into some sort of security wiki as necessary. Beyond that, hunters gotta know how to access and interact with whatever inventory software the org is running. 7/
I say this bc I have a lot of followers here and people who take my hunting class who are caught off guard by the need to do these things. Knowing a network is a critical part of the job, and the ability to do that effectively is a skill set you must develop as part of it. 8/
Not all threat hunting is chasing attackers through servers. Much of it is finding things that are normal and documenting them so you (or your peers) don't spend as much time on them later. 9/
As far as referencing knowledge sources. Consider that for every behavior you might identify, ask yourself, how would I determine if this was normal? You should be able to answer this for the most common types of behaviors you'll see. 10/
Behaviors might include processes launching, per-protocol network communication, authentication, file deletion, and many other observable things. Sometimes answerable with evidence, but sometimes other sources of knowledge like an asset DB. 11/
For example, how would you know if an auth behavior was normal? Well, you can look at past auth behaviors, look at those behaviors within a department, look at future auth behaviors, ask the user, or look at a security wiki, or past tickets. 12/
More broadly, to determine if a behavior is normal, it means crafting SIEM/data search queries (looking in the past), setting up new data capture (looking in the future), or examining other sources of facts (asset DB, AD, etc). The last two are the most overlooked. 13/
You can think of this like a doctor who is trying to determine if some test result is normal for a patient. If possible they look historically, if not they look in the future. Sometimes they examine related sources of facts. 14/
Bottom line: If you are a threat hunter, you are also a custodian of network knowledge. Take time to develop that skill. Ignore that responsibility at your own peril. 15/
There are two great ways to start today.

First, do you have some sort of wiki or repo where you can store network knowledge? No? Set one up.

Second, figure out what asset DB software you use, get access, and learn how to query it effectively and quickly. 16/
This morning's thread brought to you by the screams of hundreds of analysts who thought they wanted to be threat hunters but didn't realize what the job fully entailed.

Alas, it's a beautiful day to catch bad guys. 17/17

More from Tech

Alex Stamos
Alex Stamos
@alexstamos
The entire discussion around Facebook’s disclosures of what happened in 2016 is very frustrating. No exec stopped any investigations, but there were a lot of heated discussions about what to publish and when.


In the spring and summer of 2016, as reported by the Times, activity we traced to GRU was reported to the FBI. This was the standard model of interaction companies used for nation-state attacks against likely US targeted.

In the Spring of 2017, after a deep dive into the Fake News phenomena, the security team wanted to publish an update that covered what we had learned. At this point, we didn’t have any advertising content or the big IRA cluster, but we did know about the GRU model.

This report when through dozens of edits as different equities were represented. I did not have any meetings with Sheryl on the paper, but I can’t speak to whether she was in the loop with my higher-ups.

In the end, the difficult question of attribution was settled by us pointing to the DNI report instead of saying Russia or GRU directly. In my pre-briefs with members of Congress, I made it clear that we believed this action was GRU.
TECH
Wilbert Liu \U0001f468\U0001f3fb\u200d\U0001f3a8
Wilbert Liu 👨🏻‍🎨...
@wilbertliu
These past few days I've been experimenting with something new that I want to use by myself.

Interestingly, this thread below has been written by that.

Let me show you how it looks like. 👇🏻


When you see localhost up there, you should know that it's truly an experiment! 😀


It's a dead-simple thread writer that will post a series of tweets a.k.a tweetstorm. ⚡️

I've been personally wanting it myself since few months ago, but neglected it intentionally to make sure it's something that I genuinely need.

So why is that important for me? 🙂

I've been a believer of a story. I tell stories all the time, whether it's in the real world or online like this. Our society has moved by that.

If you're interested by stories that move us, read Sapiens!

One of the stories that I've told was from the launch of Poster.

It's been launched multiple times this year, and Twitter has been my go-to place to tell the world about that.

Here comes my frustration.. 😤
TECH
Advertisement
Josh Butler
Josh Butler
@JoshButler
Users: hey can you get rid of the Nazis please

Twitter: ok sure, we've changed the stars to hearts for likes

Users: no no, zero Nazis please

Twitter: yep we're getting rid of Vine

Users: nah hey, what about the Nazis

Twitter: ok ok fine, no more likes

Really though, if you had to ask any average user what were the main things leading to a bad "quality of debate" on this bad website, the tiny little heart symbols would not exactly be at the top of most people's lists
TECH
Brad Kaellner - Stock Compounder
Brad Kaellner - Stock ...
@bkaellner
Incumbents almost always prevail with sustaining innovation

In disruptive circumstances, the entrants are likely to beat the incumbents

H/t Clayton Christensen, The Innovator’s Solution
TECH
Qiao Wang
Qiao Wang
@QwQiao
People sometimes ask me what my vision of DeFi is. This is a very tough question. DeFi is very messy with thousands of experiments happening. But high level, I think DeFi will go through 2 phases:

During the 1st phase (next 2-5 years), we'll continue to build games, casinos, and speculative products.

This sounds uninspiring. But it has two main important consequences.

1) This will ultimately lead to hundreds of millions of users to install wallets and get uncomfortable with the UX.

2) This will force the tech (especially scaling) to mature.

Once we've achieved these two goals, phase 2 begins. In phase 2, products that serve real economic activities / integrated with the real economy will be built and flourish.

Right now, such products barely exist. @terra_money comes to mind. But this is the kind of products that I really look forward to. They are more economically sustainable, and create more value.
TECH

You May Also Like

Peter McCormack [Jan/3\u279e\u20bf \U0001f511\u220e]
Peter McCormack [Jan/3...
@PeterMcCormack
1/ So here is a thread on how I turned $32,000 into $1.2m and back to pretty much zero (once taxes are paid).

Just note, I am not bitter or salty in any way at all, the last 2 years have been an amazing ride - travelled the world, been wealthy, been poor.

2/ Dec '16, my advertising agency folded, I had a little bit of money left and I put $32k into Bitcoin and Ether. As it started to go up I diversified into everything, Monero, Dash, this that, any crap - even Ripplecoin. Everything just kept going up.

3/ By March I think I had around $300k and $500k by the summer. I used to take 25% out but towards the end of the summer I got greedy and put it all back in and by December it was $1.2m.

4/ Thinking I was an absolute genius I decided to start a bunch of businesses. As silly as it sounds I had this goal of making $5m as I wanted to buy Bedford Town Football Club and get them in the league, and as Crypto was going up forever I needed 6 months.

5/ So:
- Trading (income 1)
- Podcast (income 2)
- Mining (income 3)
- Mining pool (income 4)
- Consulting (income 5)

Yes - all of the above as a one-man army :)
LIFE
Corey Haines \U0001f4a1
Corey Haines 💡...
@coreyhainesco
I think I'm giving up on mainstream marketing content.

I'm giving up on social media consumption too.

So little substance.

Need to devote more time doing. More time creating.

Who needs another "5 ways to boost growth" post? I click and am disappointed every time. Not again.

I don't want to poop on content marketing, but marketers need to step it up.

Or at least, founders need to know that doing something is not always better than doing nothing.

Why is content marketing not as effective as it used to be? An innumerable amount of factors...

But one things for damn sure.

Things have to change.

Two of the chief sins:
1. Unoriginal research/story/study/etc
2. Not having anything more to add that's meaningful

Why blog/podcast/vlog/etc about something that's already been said? Already been done?

Do we really need another interview with founder of x hot startup? Do we really need another ultimate guide about facebook ads?

Not all content is like this...

Sometimes, you get an occasional piece that truly leaves you better off than you were before. That doesn't make you want to skim.

An original case study. A first time interview with a founder. An honest account of an experiment. An explanation of a change, shift, or realization.
LIFE
Advertisement
Kelly Ellis
Kelly Ellis
@justkelly_ok
So, I want to talk about how sexual harassment and fair pay are linked at Google (and beyond), because I think that's an angle that isn't being highlighted enough in the coverage of these walk-outs. I'm going to frame it largely around my personal experience there. Thread.

When I was sexually harassed by the director of the area I was working in, I was afraid to report it because I was worried that "getting him in trouble" would result in the subtle retaliation of missed leadership opportunities.

I wanted to continue working on the team I was on, because I'd gained a lot of very deep knowledge and expertise in that area, as well as reputation and camaraderie with the other folks working in that area. I didn't want to make the situation more "difficult."

To get promoted at Google, several need to happen: 1. you need opportunities for ownership and leadership above your current level (basically, opportunities to show you're working at the next level you're trying to get promoted to). The work you're "assigned" has a big impact.

2. You need glowing reviews from peers, *at or particularly above the level you're hoping to get promoted to.* Basically, you need people a lot more senior than you to say you're doing awesome work.
TECH , SOCIETY
Panic! in the Discord
Panic! in the Discord
@discord__panic
Neo-nazi group #PatriotFront held a photo op in #Chicago last weekend & is currently marching around #DC so it's as good time as any to compile a list of their identified members for folks to watch for

Who are these chuds?

Patriot Front broke away from white nationalist org Vanguard America following #unitetheright in #charlottesville after James Alex Fields was seen with a VA shield before driving his car into a crowd, murdering Heather Heyer & injuring dozens of others

Syed Robbie Javid a.k.a. Sayed Robbie Javid or Robbie Javid of Alexandria,


Antoine Bernard Renard (a.k.a. “Charlemagne MD” on Discord) from Rockville, MD.

https://t.co/ykEjdZFDi6


Brandon Troy Higgs, 25, from Reisterstown,
EXTREMISM
Chris Herd
Chris Herd
@chris_herd
The 2020s will be known as the Remote Work decade

A few predictions of what is likely to emerge

[ a thread ] 💻🏠🌍

🏦Third Space: Office and Working from Home will be joined by somewhere close by that a number of people will use

Supermarkets or local bank branches should emerge as a convenient ubiquitous location option – if they are smart

⏰Asynchronous Work: Offices are instantaneous gratification distraction factories where synchronous work makes it impossible to get stuff done

Tools that enable asynchronous work are the most important thing globally remote teams need. A lot of startups will try to tackle this

⚽️Hobbie Renaissance: Remote working will lead to a rise in people participating in hobbies and activities which link them to people in their local community

This will lead to deeper, more meaningful relationships which overcome societal issues of loneliness and issolation

🚜Rural Living: World-class people will move to smaller cities, have a lower cost of living & higher quality of life

These regions must innovate quickly to attract that wealth. Better schools, faster internet connections are a must
REMOTE WORK