@riskybusiness Okta is lacking many controls that MS has as an IDP/SSO., independent the apps question.

I look forward to the snake oilers episode!

@riskybusiness you should redo today’s conversation with Ryan Kalember but talk about Okta instead of MS.

@alex I mean he does have a good staff for these topics.

@ckure :thumbsup_claw:​

i'm not sure i'd like to live forever hence all my retirement planning models assume i die at some future date.

@sherrod_im what are the assumptions in that model?

Lunchtime threat hunt: map recent MS/Storm-0558 detections to Google Workpace/GMail. Summary: fail.

CISA noted that a US gov entity detected the incident via analysis of the `MailItemsAccessed` event type: "In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs." This event type was only available via more expensive E5 logging, which many/most don't pay for). MS changed this today to make available to more customers without paying extra, after pressure.

Maybe I'm missing something but I can't seem to find a Google Workspace equivalent event type in Security Center ( https://support.google.com/a/answer/11482175?sjid=7101640716602908317-NA , Enterprise Plus licensing). Does Google not log these types of events?

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

This technique of infecting common file types on target networks for reinfection is under appreciated by defenders and under utilized by adversaries. It’s why we prepared so thoroughly for migration of an Aurora victim to a clean network back in 2010.

Thrunting file mods by process other than the default URI handler is a great starting query, especially PowersHell.exe.

"Another interesting aspect of Gamaredon infections is that the threat actors plant as many as 120 malicious infected files per week on the compromised system to increase the likelihood of re-infection."

https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/?

@schwascore security keys easily wins top spot for me. CrOS is second.

@nf3xn 🔥🔥🔥🔥

This post brought to you by bitcoin.

https://apnews.com/article/north-korea-kim-icbm-nuclear-802a6a0719460463030c50429d27a087

Never forget.

https://krebsonsecurity.com/2023/06/russian-cybersecurity-executive-arrested-for-alleged-role-in-2012-megahacks/?utm_source=substack&utm_medium=email

Q3 OKRs find you uninspired? Our infrastructure security team is looking for a senior enterprise / corpsec security engineer who's looking to make an impact and move the program forward . Great mission, team and company

https://grnh.se/a6ecc2251us

@Viss truth.

@Viss counter point: congrats to all the people working today who can get stuff done because so many people took vacation.

@inickles @DEATHCon @insanitybit something something culture something something.

In celebration of International Women’s Day I donated to Black Girls Hack. Please consider donating money or time to support a cause you believe is doing good.

@Lee_Holmes One can hope this is nation state CNE / espionage and not some other class of threat actor with financial motives.

Hot take on #BlackLotus & #UEFIBootKits : Due to the economics of payouts, it won't be widely used over time. Why? Victims will have to trash computers and replacement costs take away from ransom payouts. Attackers can get paid more without victims needing to trash PCs.

@mikeymikey more of this!

We are excited to announce the return of @volexity Cyber Sessions! Our next #meetup will be May 10 @ 6:30PM. Come listen as @tlansec & @attrc share their talks on #threatintel, #dfir & #memoryforensics. Doors open at 6:30PM. There is limited seating so reserve your spot now! https://www.meetup.com/volexity-cyber-sessions/events/291852488/