Andrew 🌻 Brandt 🐇<p>For those who don't know (which is most of you), this project has been the intense focus of my work, taking up a huge amount of my time, energy, and investigative effort for the past 14 months - while still helping others at Sophos publish their research; running an election campaign where I was a candidate for school board; speaking at Blue Hat, Defcon, Saintcon, Virus Bulletin and other conferences; guest lecturing to classes at CU Boulder; volunteering my time canvassing for political candidates; serving as a docent at the Media Archaeology Lab; and starting up the Elect More Hackers organization.</p><p>Whew. It's actually kind of daunting just to read that. I also sometimes sleep and eat.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@SophosXOps" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>SophosXOps</span></a></span> has been, at its core, an institution that values radical transparency, and this story (and the earlier research investigations into the Operation Pacific Rim threat actors and incidents) demonstrates Sophos' commitment to truth and journalistic integrity, following a story wherever it leads. </p><p>I hope our publication today starts a larger conversation and collaboration within the cybersecurity industry - inside and outside the Cyber Threat Alliance, which Sophos actively supports and where I am proud to represent my employer - to work together to thwart the ambitions of nation-state threat actors such as the perpetrators of Operation Pacific Rim, in order to protect the privacy and safety of everyone, everywhere.</p><p><a href="https://infosec.exchange/tags/PacificRim" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PacificRim</span></a> <a href="https://infosec.exchange/tags/OperationPacificRim" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OperationPacificRim</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/china" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>china</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/hacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hacks</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/firewalls" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>firewalls</span></a> <a href="https://infosec.exchange/tags/intrusiondetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intrusiondetection</span></a> </p><p><a href="https://www.sophos.com/en-us/content/pacific-rim" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">sophos.com/en-us/content/pacif</span><span class="invisible">ic-rim</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
helvede.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Velkommen til Helvede, fediversets hotteste instance! Vi er en queerfeministisk server, der shitposter i den 9. cirkel.
Welcome to Hell, We’re a DK-based queerfeminist server.
Read our server rules!
Administered by:
Server stats:
161active users
helvede.net: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#intrusiondetection
0 posts · 0 participants · 0 posts today
Tinker ☀️<p>There is something so satisfying in kicking off an entire RFC1918 scan.</p><p>Doing a single port at a brisk but safe (for my environment) pace.</p><p>~/# nmap -Pn -n -p <single port number> -T4 --open 10.0.0.0/8</p><p>~/# nmap -Pn -n -p <single port number> -T4 --open 172.16.0.0/12</p><p>~/# nmap -Pn -n -p <single port number> -T4 --open 192.168.0.0/16</p><p>(command broken out for dramatic effect - also note that I break out each of those CIDRs into /24's so that if anything breaks, I can pick up easier where the last known good ended. It's scripted and I prefer it this way.)</p><p>I am not doing a ping sweep or a DNS resolution. I'm assuming all hosts are up. And I'm looking for every host with a single port open. So even if they dont respond to pings (or something is preventing pings), I should get an answer back.</p><p>Note, I could certainly do faster (T5 or masscan, gawd) - but this is about as fast as I'm going to do in my environment and still be safe.</p><p>Also, only looking for open ports right now - no fingerprinting yet.</p><p>A cool thing about this approach is many intrusion detection still will only look for multiple ports on a single host to trigger an alert. Some still ignore many hosts / single port scans (to their detriment). </p><p>We've long sense purple teamed this, so I sent a notification to SOC letting them know my actions and asking them nicely (I bribed them last week) to not stop me, lol.</p><p>Should take a couple weeks to a month at this pace and in my environment to hit every single one of the just shy of 18,000,000 hosts 😂 </p><p><a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentesting</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/penetrationtesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>penetrationtesting</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>blueteam</span></a> <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>redteam</span></a> <a href="https://infosec.exchange/tags/intrusionDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intrusionDetection</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload