CISO at @VillanovaU. Former Falcon, Owl, Prof. All tweets are my own and typically focus on technology, usability, accessibility, security and privacy. 🇺🇸
35 ways to harden your Active Directory environment
1. MFA everywhere, without exceptions
2. Create a patch cadence you can stick with, and stick to it
3. You don’t need more domain admins, limit it like anyone who has it is cursed
4. You can’t protect what you don’t know exists, inventory is essential
5. Segment your network like your career depends on it
6. If it absolutely doesn’t need to be on the internet, it shouldn’t be
7. EDR alone will not save you, diversify your threat detection strategy
8. Application control can be one of the hardest controls to defeat, use it
9. Deception technology is essential for today’s modern threats, learn it and use it well
10. Email security tools are great, but don’t forget out of band processes are key especially for money transfers
11. Teach users the basics of social engineering red flags, don’t phish them yourself
12. If you don’t test your backups, you don’t have backups
13. If you don’t test your DR plan you don’t have a plan
14. If you don’t follow the 3-2-1 rule for backups you don’t have backups
15. Backups in Steve’s basement don’t count
16. Rotating passwords regularly for no good reason is counter productive and then less secure option
17. 99% of vulnerabilities don’t matter, spend your time identifying the ones that could hurt you and address those first
18. Vulnerability scanning doesn’t show the whole picture, pentesting is a must
19. Hunting for misconfigurations yourself is a necessary part of good systems engineering
20. The cloud is not more or less secure than on-prem, it’s your strategy that matters most
21. Service accounts should be treated like radioactive material, tightly scoped and constantly monitored
22. Under no circumstances should the built in admin account be a service account
23. Domain admins should not be service accounts either
24. Active Directory permissions drift over time, assume yours already has
25. If you can’t explain why something needs admin rights, it shouldn’t
26. If you can’t explain why someone needs admin rights, they shouldn’t
27. Separate admin work from daily work, identity debt is real
28. Don’t reuse local admin passwords, LAPS is easy, use it
29. Security tools don’t replace good engineering, they amplify it
30. If fixing it later is the plan, it’s not a plan
31. Boring but consistent security beats clever hacks every time
32. If you don’t know if you have misconfigured ADCS, you probably do
33. After every change in ADCS, run invoke-locksmith
34. After every delegation change in AD run Invoke-ADeleginator
35. Use AppLocker Inspector to audit your applocker policies.
🏷️Bookmark this so you can come back to it later.
Nova Nation, it’s time to choose the Official Fan T-shirt for the 2026-27 season! ✌️
The design with the most votes will go into production and be available for sale this Fall!
🗳️ Vote today: https://t.co/ELeu2JSNn4
Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://t.co/RSrRtIhgaV
Two questions I get all the time:
"What educational AI tools would you recommend for my kid?" "What adaptive apps does Alpha use?"
Many of the apps we've built ourselves aren't publicly accessible yet. Here are ten third-party ones I do recommend.
@merill Congratulations and best wishes Merill!
Huge loss for Microsoft, but excited to continue to see and learn from all that you'll be doing as a solopreneur.
‼️🚨 One of the world's largest Certificate Authorities, DigiCert, was compromised by a malicious screensaver file sent through a customer support chat. Their antivirus blocked the malware four times. The agent kept clicking. The fifth try got through.
27 code signing certificates were stolen and used to sign malware.
DigiCert ultimately revoked 60 certificates.
Per DigiCert's incident report, filed in Mozilla's CA compliance tracker as Bug 2033170, here is how it unfolded:
April 2: an attacker contacted a DigiCert helpdesk agent through the company's customer support chat channel, posing as a customer. The lure was a zip file pitched as a screenshot. Inside the zip was a .scr file. On Windows, .scr files are executables, and this one carried a malicious payload.
Opening a file a customer sent through the official support channel is what an agent is supposed to do. Support staff are the one role designed to accept files from strangers.
DigiCert's endpoint security blocked four infection attempts. On the fifth, the support analyst's machine was infected.
DigiCert detected the infection, ran an investigation, and concluded the incident was contained.
Eleven days later, an external researcher tipped DigiCert off about misuse of DigiCert-issued code signing certificates in the wild. That tip led to the discovery of a second compromised machine, belonging to a different support analyst, infected through the same vector. The EDR on that machine had not been functioning correctly, so the original investigation missed it.
The second machine gave the attacker access to DigiCert's internal support portal. That portal lets support staff reach limited views of customer accounts, including initialization codes for ordered but not-yet-issued code signing certificates. Combining a stolen initialization code with an approved order let the attacker pull a real, validly issued code signing certificate. They did this 27 times.
DigiCert's own list of what went wrong:
- File-type filtering on the customer support chat channel did not catch the .scr
- EDR coverage was inconsistent and incomplete, creating a blind spot
- Initialization codes for code signing certificates were not adequately protected
DigiCert says it got lucky. An outside researcher found the malware abuse before DigiCert did. Without that tip, the second machine and the active certificate theft might still be running today.
Launching https://t.co/Z3gUh4OCOA
Look up any OAuth app ID and find out what it actually is across thousands of legitimate, risky, and malicious apps (Entra, Google, GitHub).
Multiple feeds, API, detection ideas and remediation guidance. Still improving the detections a bit 🦾
Introducing Project Swarm: a research initiative to defend the network edge and we're inviting you to join. Deploy a sensor on your infrastructure, capture real attacker traffic + compare what's hitting you to the GreyNoise global baseline. Join today! 🐝