For people working in DFIR, have you found that in the age of ransomware your role, or your team's role, has expanded to DFIR-CR, for containment & recovery? It feels like the investigation now often happens at the same time as recovery work, and they are very distinct skill sets

DEFCON nerd drama. Disclaimer: The source of the following information is from various Reddit threads, Discord discussions, and Twitter conversations. We are unable to determine the validity of all of the information shared. Some information can be confirmed because there is

En un incidente de #ciberseguridad, la respuesta ante incidentes tiene que ser eficiente. Si tienes a 5 personas a las 04:00am mirando cómo un sysadmin busca cómo conectarse a un servidor, lo estás haciendo mal #DFIR (1/n)

Let's say you wanted coverage in your org for CVEs with at least a "High" or "Critical" CVSS score. The traditional strategy would have you remediating 58.1% of all CVEs. The same coverage under the EPSS model only needs you to remediate 7.3%!

When your CISO wants to "automate the processes" to "accelerate SecOps" but your processes are immature and are just accelerating you towards a disaster...

Hace tiempo q no veo un Cobalt Strike, un Empire, un Sliver o similares en un incidente de #ransomware. Los malos llegan, despliegan un RMM (Remote Monitoring & Management) como AnyDesk o Atera, y hacen sus cosas sin miedo al EDR (pq es legit y no se lo merienda) (1/n)

Hi. Cybersecurity expert here. I'm tweeting this from a public Wi-Fi network without a VPN. I never use a VPN when using public Wi-Fi. VPN company security claims are (mostly) scams. They sponsor a lot of podcasts to promote their claims. #CyberSecurityAwarenessMonth

Product strategy these days 🙈

Which one is going to have a greater than 9 CVE today?

I don't mean to be rude, but if you're out there talking about the Defender's Dilemma and how the #BlueTeam needs to be perfect everywhere and attackers only need to "get it right once", it just tells me that you don't know what you're talking about. #cybersecurity

That IR life

VMware reports active exploitation of new ESXi zero-days - but only gives us a patch matrix 🙄 - How is it so hard to understand that if a zero-day is actively exploited, we need indicators and forensic guidance to hunt? - Otherwise, we’re just blindly patching already

I’ve trained many analysts over the years - inside my own teams, in SOCs, CERTs, and various internal security teams. And lately, I’ve been noticing a trend that deeply saddens me. There’s an increasing number of young professionals who struggle with the grind of our work. They

*Prepárense para volver a nacer* El Registro Civil en 2023 dispuso que la validez del certificado de nacimiento ELECTRÓNICO es de un AÑO y pretenden justificar jurídicamente alegando que podrían haber 'modificaciones constinuas y constantes'

Justin Elze We don’t really hear that anymore because the landscape has changed. Back then, attackers were up against passive, unmonitored defenses like firewalls or AVs. If they failed, no one noticed - but if they got through once, it worked. That’s where the “only need to be right once”

Como cuando no te quieres quedar atrás… 😎😎😎

1989: Brian Fox introduced code into Bash, later released as version 1.03, which included the first of the Shellshock vulnerabilities publicly reported 9,169 days later. That's 25 years, 1 month, and 13 days of exploitability. Takeaway? You're always running exploitable code.

Stop wasting time on CTF challenges. Learn Docker security, EDR evasion, network segmentation, SAML/OAuth flows, WAF configuration, and how to debug production incidents. You'll be 10x more hireable than someone who rooted 500 vulnerable VMs.

In security, when you do your job perfectly, nothing happens. And people don't see when nothing happens.