I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysis https://en.wikipedia.org/wiki/Nation_state
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
"APTs" matter sometimes, but for most orgs, you're a lot more likely to be affected by stuff like BEC and ransomware. Please stop panicking about every new "APT" report and patch things.
Stop being jerks to new people. They're learning, and they could end up being your boss someday, so be nice.
PDFs of reports are AWESOME, but please, please, put the DATE ON THE FRONT PAGE. Don't make me go search for your corresponding blog post because I am lazy.
Just because someone disagrees with you doesn't make them a bad person. Disagreement is GOOD in threat intelligence.
Stop yelling at people who include TTPs and not indicators. TTPs are useful too.
Please stop just listing ATT&CK techniques with no additional context or detail.
Don't steal other peoples stuff. Give credit if you use someone else's work.
Don't use those fake PDF readers that track people when they're reading your reports but make them think they're in a PDF reader.
Don't worry too much about attribution to a person/country/military unit unless you actually need that. For many of us, that doesn't really matter, and you can take the same actions knowing how the threat acts. Don't @ me. 😉 Threat intel is more than country-level attribution.
Scans are not attacks. h/t @WylieNewmark
Putting on makeup is a pain in the ass. I deem this as threat intel-related because it's my thread and I feel like I need to put on makeup when doing threat intel presentations.
Please stop asking if something is being recorded and if the slides are being shared if that's already been stated. This is annoying. Yes, I admit, this is completely hypocritical because I'll probably ask it, but whatevs.
Lazarus and Winnti.
"Indicators" without context. That's not an indicator and it's sure as heck not threat intel.
Markdown.
When samples aren't in VT.
You can follow @likethecoins.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.