We're getting into "silly season" at the end of the year. With that in mind, I've thought about the things I did in 2022 that I found most interesting, helpful, or potentially impactful.

First, there's the paper on #CTI-driven #ThreatHunting I wrote and presented on at several events:
https://www.gigamon.com/content/dam/resource-library/english/white-paper/wp-intelligence-driven-threat-hunting-methodology.pdf

Then, there was my @VirusBulletin paper on the #XENOTIME actor responsible for the #Triton event, which I thought was neat as a deep-dive into organizational relationships that get masked in our tracking a single "adversary:"
https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Zeroing-in-on-XENOTIME-analysis-of-the-entities-responsible-for-the-Triton-event.pdf

On a personal front, I wrote up some prelimianry analysis on the #Industroyer2 attempted (?) #ICS #OT incident as part of the conflict in #Ukraine - and there are still some items raised there for which we don't have answers several months after the incident was discovered:
https://pylos.co/2022/04/23/industroyer2-in-perspective/

Finally, I wrote a blog for my employer diving into the idea of the #FalsePositive in #DetectionEngineering and #SecurityMonitoring that I think is helpful for analysts from #IR to the #SOC
https://blog.gigamon.com/2022/08/05/revisiting-the-idea-of-the-false-positive/

I need to think this over a bit, but look for something covering the most insightful work of others, from my perspective, from the past year!

@kimzetter I'm honestly not sure? If that malware was designed to impact critical civilian infrastructure (eg, #Industroyer2), I'd say mitigating or defeating that represents a defensible, appropriate action given the targeting and intent. Yes, a bit more "active" than providing food or fuel, but arguably even more defensible given the impact of the action.

Overall, my position is placing as much burden on RU as possible to justify or prove the legality of it's actions through a 10+ year invasion of a neighboring sovereign state.

There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9

The #OT #ICS threat environment is interesting as, aside from ransomware shit, the threats are latent, dormant, or in development. The evolution of #berserkbear, identification of #INCONTROLLER / #PIPEDREAM, continued #XENOTIME activity, identification of #PRC test labs for cyber physical capabilities... All indicate an environment under rapid development, but with fewer actual public examples than fingers on your hand. Circumstances make risk assessment (and cost forecasting) exceptionally difficult for asset owners... But the adversaries are out there, and as shown in #Industroyer2, they are learning. Claiming adversaries will never figure out a cyber physical attack and that the future threat landscape is over hyped seems unhelpful, or motivated by feelings less than altruistic.