Top Tweets for #timecentricsecurity
#timecentricsecurity at the campaign/operations level (between strategy and tactics).
TTR = time to ransomware #timecentricsecurity
Quantum Ransomware
➡️TTR: 3h 48 minutes
➡️Initial Access: IcedID ISO
➡️Persistence: Scheduled Tasks
➡️Discovery: WMIC, net, nltest, AdFind, etc.
➡️C2: Cobalt Strike
➡️Lateral Movement: PsExec, WMI, RDP
➡️Impact: Domain wide ransomware
https://t.co/Py3FqlElJx
"One of the reasons the life cycle of these attacks has been so heavily reduced is because FIN12 campaigns don't focus on finding sensitive data and stealing it before triggering a ransomware attack." CC @mandiant #timecentricsecurity
I like dwell time, but we really need a more specific metric like “time from initial access to domain admin.” That way it’s equivalent whether the adversary plans for long term quiet access or more public ransomware actions. Such metrics exist in some #timecentricsecurity shops.
Did anyone see when the RU intruders first gained access to the UA target? ESET says deployment at 14:58, but was RU there earlier? If not, that's only 72 mins to detect and respond, as it hit at 16:10. <1 hr dwell time still the goal for #securityonepercent. #timecentricsecurity

#BREAKING #ESETresearch helped analyze a #Sandworm campaign against an energy company in #Ukraine 🇺🇦 using #CaddyWiper and a new version of the infamous #Industroyer malware. #WarInUkraine https://t.co/QRR5M6etfS 1/5
This is another data point for #timecentricsecurity. A detection and response strategy only succeeds if you have the personnel, processes, authority, and data to detect and respond before the adversary completes their mission. Here the dwell time appears to be in hours or less.
These chats reveal the remarkable fact that Conti has the resources - dozens of employees - to be able to pivot from a single opportunistically infected PC to a ransomware attack in a 9-5 workday, if they really want to. Shows the enormous pressure put on incident response teams
More real-life #timecentricsecurity from @TheDFIRReport. Here the Time To Ransomware (TTR) was 42 hours. If your defenders can detect and respond in time, you win. Time to Domain Admin was about 11 hours though? Double check my math.
Exchange Exploit Leads to Domain Wide Ransomware
TTR: 42 Hours
Initial Access: Exchange Exploited (ProxyShell)
Discovery: ipconfig, nslookup, ping, KPortScan, etc.
Execution: Fast Reverse Proxy & Plink
Lateral Movement: RDP
Impact: Data Encryption
https://t.co/adxHmp4P7K
92 mins from initial access via phishing and exploitation of MS Word to "final lateral movement" to reach file server. #timecentricsecurity
Does your defensive team detect and respond fast enough to contain the adversary before they accomplish their mission? How do you know?
From Zero to Domain Admin
➡️Initial Access: Maldoc deploys Hancitor
➡️C2: #CobaltStrike & #Hancitor
➡️Discovery: net, nltest, check.exe, AD module, scan for backup systems
➡️Privilege Escalation: Zerologon CVE-2020-1472
https://t.co/gtiUAi9EQN
Even if an adversary gains a foothold in your organization (compromise), the security team "wins" if they stop him from accomplishing his mission (breach). That is one way to define a win in security. Also, threats rarely ever "move at the speed of light." #timecentricsecurity
BazarLoader to Conti Ransomware in 32 Hours
➡️Initial Access: BazarLoader
➡️Discovery: Nltest, Net, AD PS module, Get-DataInfo.ps1, Ping
➡️C2: #CobaltStrike & #BazarLoader
➡️Exfiltration: WinSCP
➡️Impact: Conti ransomware
https://t.co/9hsqUCA5TT

I'm listening to @_johnhammond from @HuntressLabs discuss a timeline for Ryuk ransomware. Deployment took 3 1/2 hours. As a fan of #timecentricsecurity metrics I cropped a few slides and shared them. Note #PESTs. Full sides: https://t.co/pooqC5UhqS

I'm pleased to see these elements too -- thanks @DAlperovitch for your advocacy, and for noting the relevant bill details! In addition to #timecentricsecurity I've also testified for a central federal government hunt campaign, stressing compromise assessment over vuln/pen tests.
The NDAA bill passed last night contains a lot of great recommendations from @CyberSolarium thanks to the amazing leadership of @chairmang and @SenAngusKing but there are 2 very important ones that I specifically want to highlight that haven't yet gotten much attention 1/4
Some can still use a #timecentricsecurity strategy vs fast #ransomware groups. @mandiant says UNC1878 has a median time to #ryuk of 5 days 17 hrs, with fastest seen 2 days 6 hrs. Similar metric for other RW is 72 days 12 hrs. Still, only the 1% can detect & respond fast enough.

"Phishing campaigns, from first to last victim, take 21 hrs on avg. Most phishing victims suffer a fraudulent transaction ~5 days after getting phished. Victim creds end up in public dumps or criminal portals ~7 days after the user visited the phishing page." #timecentricsecurity

"Going by the timestamps, we can guess the time period of 2 weeks for dwell time from TrickBot -> Pivot and Profile -> Ryuk." #timecentricsecurity
⚡️ New #SentinelLabs discovery! #Trickbot operators utilized #PowerTrick & Cobalt Strike to deploy #Anchor #backdoor and #RYUK #ransomware
We review the #cobaltstrike portion of the server and how the actors were leveraging it
https://t.co/nCZCmDBTxB
By Joshua Platt & @sysopfb

#timecentricsecurity A six month “response” seems excessive, if you believe defenders were setting the tempo. It’s more likely as @campuscodi notes that the defenders had trouble trying to remove the intruders. That has very often been the case when intruders seek to hold ground.
Austrian Telecoms Operator Played Six-Month Game of Cat-and-Mouse With Hacker
https://t.co/mNbAvRulqT
We remember the blog with insider infos:
https://t.co/clxIal4J1a

“These attacks typically took less than a week from initial access via the cloud to obtaining ‘unhampered access and full domain compromise.’ This access then allowed the attackers to stay on the network for long periods of time, sometimes for months.” #timecentricsecurity
“Microsoft details how sophisticated attacks can move quickly from a small breach to a big problem.” https://t.co/FaG1jaZx77
"Snatch Team was able to go from brute forcing a Domain Administrator (DA) account via RDP, to running a Meterpreter reverse shell and a RDP proxy via Tor on a Domain Controller (DC), to encrypting all Domain joined systems in under 5 hours." #timecentricsecurity
Another RDP brute force ransomware strikes again, this time, Snatch Team!
-Lateral movement via RDP
-C2 via Meterpreter/RDP Proxy via Tor
-Persistence via Scheduled Tasks
-Domain ransomed in less than 5 hours
#infosec #malware @MISPProject
https://t.co/SVaPiiGwkG

Great #timebasedsecurity #timecentricsecurity #securitymetrics in this post by @mandiant @fireeye. Many examples of exploitation prior to and after vuln info and patch disclosure. "POC code likely hastens exploitation attempts for vulns that do not require user interaction."
Did you know that 42% of vulnerabilities were exploited within 1 month after a patch was issued?
Learn more in our 2nd of 4 blog posts on cyber #threatintel enabling vulnerability management: https://t.co/9Sf76Ou9dA

WOW! “imagine a world in which we require regulated companies or critical infrastructure to collect 1:10:60 data or something similar,” Gallagher said. #timecentricsecurity! Sadly, hardly anyone does it, and most that do can’t hit 1:10:60. Ref @CrowdStrike https://t.co/YEIeLKgjLo
Congress' Cyberspace Solarium Commission is toying with the idea of new cyber intrusion reporting requirements for the private sector. Preview @chairmang/@SenAngusKing's thinking on what may be in final report, expected this spring, w @CyberScoopNews https://t.co/nfg6xVHJbH
Last Seen Hashtags on Sotwe
Most Popular Users

Elon Musk 
@elonmusk
240.7M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
110.9M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.7M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.8M followers

Taylor Swift 
@taylorswift13
81.7M followers

Lady Gaga 
@ladygaga
73.2M followers

Virat Kohli 
@imvkohli
70.2M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
62.9M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
60.9M followers

X 
@x
60.8M followers




















