My Favorite Threat Intel Tweets of 2016
Last year I put together My Favorite Threat Intel Tweets of 2015. And now it’s time for another round-up of threat intel tweets!
The tweets I gathered are those I “liked” throughout the year. They hit on threat intelligence concepts, best practices, gripes, and some other commentary on the information security industry more broadly. (And there are a few that just made me laugh.) I generally omitted tweets with links to blog posts or videos, favoring those that capture threat intelligence insights in 140 characters or less.
Many of these tweets are from longer conversations that are rich and thought provoking. Although I snagged the tweets that I thought best captured the gist of these conversations, I encourage you to read the full threads.
I did not include tweets mentioning the 2016 SANS #CTISummit or the #CTIJam. You’ll find dozens more great threat intel tweets in these threads!
Great stuff in the #CTIJam thread. Meetings kept me away. Thanks to @rickhholland @DavidJBianco & those who contributed many great answers.
— Wayne Crowder (@wacbass) April 21, 2016
You can find a good summary of the #CTIJam from Andreas Sfakianakis.
Counter-intuitively, I spent only a short amount of time combing through tweets mentioning #threatintel or #threatintelligence. To be sure, practitioners do use these hashtags, but there is also a lot of marketing content…
Well, here are my favorite threat intel tweets of 2016, my friends–Enjoy!
For those interested in intel analysis you should learn about logical fallacies (https://t.co/WSLFTpWwwb) and ACH (https://t.co/0zzYDeiN8n)
— Robert M. Lee (@RobertMLee) January 1, 2016
The 3 main uses for Yara rules:
1) real-time detection
2) hunting
3) attributionKnow & document your objective for each rule you write.
— PaulM (@pmelson) January 4, 2016
Sprinkle some threat intel on it, you will be fine.
— Rick Holland (@rickhholland) January 4, 2016
Only HUMAN analysts can create [threat] intelligence (regardless of what marketing materials say). – @RobertMLee
— Craig Lindsey (@kc5aug) January 6, 2016
"Intel" is what data wants to be when it grows up. #threatintel #DFIR
— David J. Bianco (@DavidJBianco) January 7, 2016
.@CYINT_dude Fully utilize free tools and resources before you (as a small org) buy more capability. This allows maturation of intel skill.
— John D. Swanson (@swannysec) January 15, 2016
.@psniffer @CYINT_dude Derive intel from your own internal data. What are we seeing? How can we better defend vs. those threats? 2/2
— John D. Swanson (@swannysec) January 19, 2016
"actionable" defines Intelligence, but "actionable" relates to existing capabilities.Intelligence to some will only be information to others
— Augusto Barros (@apbarros) January 22, 2016
Build a defense that works for everything, and don't put it off until something bad happens.
— Jessica Payne (@jepayneMSFT) January 30, 2016
Norse: a great example of how good infosec folks doing interesting research can be totally derided by terrible productization and marketing.
— Lesley (@hacks4pancakes) January 30, 2016
@attrc not all TI needs to be cloak and dagger. Raising awareness of attacker actions can have real results as well. But yeah, not on maps.
— Rebekah Brown (@PDXbek) January 31, 2016
Others doing malware analysis is appreciated and useful. But be careful of assuming adversary intent and campaigns from code samples.
— Robert M. Lee (@RobertMLee) February 5, 2016
Not every org can/should pursue a fancy #threatintel platform or commercial feed. Generate value from freely available/internal data first.
— John D. Swanson (@swannysec) February 9, 2016
Analysis is not a religion, don’t use the word believe. Hold measured judgements expressed in language differentiating fact and hypothesis.
— Sergio Caltagirone (@cnoanalysis) February 9, 2016
Similarly, how many more #ThreatIntel articles do we need about the difference between "data", "information" and "intelligence"?
— Alex Pinto (@alexcpsec) February 12, 2016
Simply put: the speculation and leaks have 0 defensive value. Patience on the matter will yield better lessons learned and a full report.
— Robert M. Lee (@RobertMLee) February 12, 2016
@pmelson fully agreed. usefulness of a hash (or any indicator) is best evaluated by intel on the attacker or malware fam.
— Josh Liburdi (@jshlbrd) February 14, 2016
Can anyone point me to research or case studies that explain WHY we are putting such an emphasis on cyber information sharing?
— Rebekah Brown (@PDXbek) February 14, 2016
"Many intelligence reports in war are contradictory; even more are false, and most are uncertain…. In short, most intelligence is false."
— Scott J Roberts (@sroberts) February 15, 2016
@DFIR_Janitor @CYINT_dude @corey_harrell @jshlbrd @jackcr "all models are wrong. some models are useful."
— Tio Kyle (@kylemaxwell) February 17, 2016
@chrissanders88 @rickhholland @cnoanalysis @CYINT_dude Challenge is, simplicity must be maintained for an abstraction (model) to be valuable
— Michael Cloppert (@mikecloppert) February 17, 2016
I'm so happy I'm not alone on this.
Theories w/o facts are harmful. Do not force other ppl to trust you, show facts. pic.twitter.com/a5iF1Gfcla— _Veronica_ (@verovaleros) February 21, 2016
The smartest people I know in infosec are always pumping others for ideas and talking through/refining their own. We learn more together.
— Jake Williams (@MalwareJake) February 24, 2016
Id really like to see us move beyond the data -> info -> intel conversation. Its 2016 we should be more sophisticated than this #threatintel
— Rick Holland (@rickhholland) March 8, 2016
@cnoanalysis a lack of requirements and planning makes it *really* hard to provide insightful analysis
— Rebekah Brown (@PDXbek) March 11, 2016
@CYINT_dude @PDXbek Agreed. I think sadly the most revolutionary thing about analysis in CTI would be teams actually doing analysis.
— Scott J Roberts (@sroberts) March 14, 2016
@cnoanalysis @CYINT_dude Did someone say big data? pic.twitter.com/6rMUiJayny
— Rick Holland (@rickhholland) March 16, 2016
Think sharing indicators is hard? Try sharing analytics. Good analytics need to be composable, sharable, and interoperable. #cybersecurity
— Sergio Caltagirone (@cnoanalysis) March 28, 2016
You deserve only the highest quality free range, fair trade, gluten free, organic, expertly curated, small batch, sustainable threat intel.
— saintX (@saintX) April 6, 2016
Go learn how to do something you don't know how to do, then teach it to someone else. #infosec
— thomas (@sehque) April 10, 2016
Said many times over the years in different ways "intelligence reduces uncertainty, it doesn’t eliminate it” Good to remember.
— Rick Holland (@rickhholland) April 13, 2016
Against data-driven decision making pic.twitter.com/iImaOqwvHm
— David Robinson (@drob) May 4, 2016
Many underestimate the skills required to produce #threatintel. Anyone can deliver IOCs/signatures but producing a good TI report is an art.
— Michael Yip (@michael_yip) May 10, 2016
@ma77bennett @int0x00 @michael_yip Actionability or not is a measure of capability on the consumer side, not the producer side
— Mark Arena (@markarenaau) May 11, 2016
@CYINT_dude @markarenaau @int0x00 @ma77bennett @michael_yip …if you can consistently demonstrate value over time, clients will trust you.
— Packet Sniffer (@psniffer) May 11, 2016
Reading through some notes I took at a meeting over a year ago. Wow, I'm kind of mean, but it's true #threatintel pic.twitter.com/PDBFr0yjQZ
— Rebekah Brown (@PDXbek) May 11, 2016
To see the road ahead, we must force ourselves to think…not how fast we can produce intelligence but how well we can produce it – J.Bodnar
— Rebekah Brown (@PDXbek) May 15, 2016
Really think grouping #threatintel into tactical, technical, operational & strategic is too much for most orgs. Why complicate even more?
— Rick Holland (@rickhholland) May 23, 2016
Want to know how to apply #ThreatIntel? Identify the #infosec decision points and feed those decisions the insight to make them better.
— Sergio Caltagirone (@cnoanalysis) May 24, 2016
Powell's 4 rules for intelligence staff belongs on the desk of every #threatintel analyst. https://t.co/sfzGiFVy04 pic.twitter.com/QoiQ2MF0Gl
— Sergio Caltagirone (@cnoanalysis) May 26, 2016
Dealing with customers.
Valid for any business you're in. pic.twitter.com/8NaO57XFOh— Khalil Sehnaoui (@sehnaoui) June 13, 2016
New analysts: Learn as much as possible about the threats your org has previously faced. It will help your analysis and understanding #DFIR
— Jack Crook (@jackcr) June 14, 2016
So refreshing to hear a client say, “we don’t want to become an indicator shop.” Don’t hyper focus on indicators of exhaustion #ThreatIntel
— Rick Holland (@rickhholland) June 20, 2016
"1. Get threat intel 2. ???? 3. Profit!" syndrome seem to plague many organizations.
— Dr. Anton Chuvakin (@anton_chuvakin) June 21, 2016
@cnoanalysis "Coffee. [high confidence]"
— Kris McConkey (@smoothimpact) June 27, 2016
Your writing is a cost to your reader – make it worth it. #infosec #DFIR #threatintel
— Sergio Caltagirone (@cnoanalysis) July 7, 2016
Don't let the hunt for shiny new #threatintel keep you from doing strategic research that can be far more impactful. https://t.co/4SGJMjNEuF
— Rebekah Brown (@PDXbek) July 13, 2016
Note to the media: Your Turkey live blogs should have *every news item* very clearly labeled this way right now. pic.twitter.com/ijQG4HNe82
— Thomas Baekdal (@baekdal) July 15, 2016
There are actually analytic techniques for working with patchy data that may be from adversarial intelligence services. Maybe use them?
— the grugq (@thegrugq) July 26, 2016
Alternative hypotheses are necessary but not a license to go to crazy land #threatintel #tradecraft
— Sergio Caltagirone (@cnoanalysis) July 27, 2016
Write down everything you know about an adversary (tools and TTP's). Determine what you can accurately detect and hunt for what you can't.
— Jack Crook (@jackcr) August 9, 2016
@cahlberg @CYINT_dude "We don't even know what we don't know…" pic.twitter.com/Nz818WO0Bj
— Trip (@TripKrant) August 10, 2016
Write your reports thinking that you will want to read them in 3 years and understand them. #assumenothing
— _Veronica_ (@verovaleros) August 12, 2016
#ThreatIntel 101: It starts with the customer (requirements) and ends with the customer (feedback)
— Sergio Caltagirone (@cnoanalysis) August 15, 2016
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."-Mark Twain #threatintel #infosec
— saintX (@saintX) August 18, 2016
FUCK WE JUST GOT HIT. Fucking .wsf in a ZIP in a remote office. I never got around to blocking that. Local server encrypted. First time. FUK
— InfoSec Taylor Swift (@SwiftOnSecurity) August 19, 2016
lol, love it. NSA repurposes exploits and apparently that means attribution is impossible because a CVE is "malware" https://t.co/3a8Je0PlVm
— the grugq (@thegrugq) August 27, 2016
Morning thought: I'm an analyst. I love EVERY well-reasoned, evidence based argument that dissents from my own-from politics to #threatintel
— Michael Cloppert (@mikecloppert) September 3, 2016
Guess the 5 letter country that's been redacted in the OPM report.. it was…. ITALY! pic.twitter.com/uKrNW2E9tT
— chris doman (@chrisdoman) September 7, 2016
@chrisdoman @CYINT_dude @JimmyVo @pstirparo @LG_CTIG Excel is the best threat intel platform known to man.
— Tom Lancaster (@tlansec) September 8, 2016
@CYINT_dude There is nothing like the joy of successful experimental discovery– developing a new method / evolving your own tradecraft!
— Packet Sniffer (@psniffer) September 8, 2016
The recipients list on previous tweet was getting long but to clarify, I am serious, Excel is more valuable than most TIP's to an analyst.
— Tom Lancaster (@tlansec) September 9, 2016
#ThreatIntel is like the food chain: If you don’t know how it’s being produced, you can’t truly assess its quality #DFIR
— Sergio Caltagirone (@cnoanalysis) September 9, 2016
The new economy is data. Most careers will involve generating, analyzing and disseminating data. #threatintel is proof.
— Packet Inspector (@pkt_inspector) September 13, 2016
An example of what "wrong" looks like in information sharing. Speed is important but Quality is far more important. https://t.co/uRdWhCd10T
— Robert M. Lee (@RobertMLee) September 13, 2016
. @WeldPond @cnoanalysis Big disconnect in TI sharing: everyone wants to contribute anonymously but wants sources to be known/trusted.
— Wendy Nather (@wendynather) September 14, 2016
WRITING TIPS:
1) Stare out of window.
2) Feel a bit sad.
3) Open a Word doc.
4) Stare at its Arctic blankness.
5) Sigh.
6) Go on Twitter.— Matt Haig (@matthaig1) September 19, 2016
Hey #threatintel – don't forget the business problem you're solving. Your requirements must flow from the mission.
— Sergio Caltagirone (@cnoanalysis) September 26, 2016
A lot of it is OSINT bc someone did the analysis and made an effort to publicly share. That's not something we should demean. https://t.co/EaEgXC92Yb
— Rebekah Brown (@PDXbek) September 28, 2016
Lot of good OSINT work out there. Look for good analytical process, recognition of bias, attention to quality of data. #ThreatIntel #InfoSec
— John D. Swanson (@swannysec) September 28, 2016
@gregLeBl_nc @CYINT_dude This picture is great. There is data and then Intelligence.Accepting what is what is the first step to do it right. pic.twitter.com/Xd6kQ99bkG
— _Veronica_ (@verovaleros) September 29, 2016
"The most exciting phrase to hear in science … is not 'Eureka!' but ‘That’s funny…’" – Isaac Asimov. True also for #ThreatIntel
— Michael Cloppert (@mikecloppert) October 2, 2016
When you find the IOCs from the FireEye report on your network https://t.co/galyfaFuAy
— InfoSec Taylor Swift (@SwiftOnSecurity) October 15, 2016
It's challenging to find the right balance between quality/accuracy, quantity and speed. And sometimes diversity as well. #ThreatIntel
— _Veronica_ (@verovaleros) October 18, 2016
Ayup. That there's certified free-range organic threat data. Gluten free and everything.
— ax0n (@ax0n) November 9, 2016
I'm prepared to retract my snide remarks about hackers portrayed wearing balaclavas based upon new evidence… https://t.co/cyAjFATU8F
— N Beach-Westmoreland (@NateBeachW) November 30, 2016
Pivoting off of indicators? Beware of the Kevin Bacon effect. If links between data lack meaning, you'll soon involve the whole Internet.
— Jake Williams (@MalwareJake) December 8, 2016
A little risk humor…. pic.twitter.com/jZTaYrV8Mk
— Kenneth F. Belva (@infosecmaverick) December 14, 2016
So many visualizations do nothing other than prove "something" was done. Analysis must lead to actionable understanding.
— Matthew Olney (@kpyke) December 21, 2016
Let's get this straight: alternative hypotheses without evidence are "speculation"; alternative hypotheses must be evidence-based #infosec
— Sergio Caltagirone (@cnoanalysis) December 22, 2016
Performing IR analysis? When someone pitches a theory, reduce it to predicates that must be true and seek supporting/refuting evidence.
— Jake Williams (@MalwareJake) December 24, 2016
Merry Christmas y'all. As always, much love to the SOC analysts on watch today. Bring them something delicious if you can.
— Chris Sanders (@chrissanders88) December 25, 2016