#Triton #Xenotime #OT #attack #infosec thoughts and #shitposting

We're getting into "silly season" at the end of the year. With that in mind, I've thought about the things I did in 2022 that I found most interesting, helpful, or potentially impactful.

First, there's the paper on #CTI-driven #ThreatHunting I wrote and presented on at several events:
https://www.gigamon.com/content/dam/resource-library/english/white-paper/wp-intelligence-driven-threat-hunting-methodology.pdf

Then, there was my @VirusBulletin paper on the #XENOTIME actor responsible for the #Triton event, which I thought was neat as a deep-dive into organizational relationships that get masked in our tracking a single "adversary:"
https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Zeroing-in-on-XENOTIME-analysis-of-the-entities-responsible-for-the-Triton-event.pdf

On a personal front, I wrote up some prelimianry analysis on the #Industroyer2 attempted (?) #ICS #OT incident as part of the conflict in #Ukraine - and there are still some items raised there for which we don't have answers several months after the incident was discovered:
https://pylos.co/2022/04/23/industroyer2-in-perspective/

Finally, I wrote a blog for my employer diving into the idea of the #FalsePositive in #DetectionEngineering and #SecurityMonitoring that I think is helpful for analysts from #IR to the #SOC
https://blog.gigamon.com/2022/08/05/revisiting-the-idea-of-the-false-positive/

I need to think this over a bit, but look for something covering the most insightful work of others, from my perspective, from the past year!

For the past 2-3 years I've tried to do two long-form research projects each year: one focused on practical #infosec methodologies, the other on #threatresearch #APT activity.

Last year, I did a paper on #CTI-driven #threathunting, and another on #XENOTIME/#Triton entity. That was cool.

Right now, 2023 is looking like:
1. Intelligence-driven approaches to #DetectionEngineering and alerting
2. State-sponsored activity leveraging #ransomware or similar for disruptive #cyber operations

This is subject to change, but this looks like what I'll be diving into right now

The #OT #ICS threat environment is interesting as, aside from ransomware shit, the threats are latent, dormant, or in development. The evolution of #berserkbear, identification of #INCONTROLLER / #PIPEDREAM, continued #XENOTIME activity, identification of #PRC test labs for cyber physical capabilities... All indicate an environment under rapid development, but with fewer actual public examples than fingers on your hand. Circumstances make risk assessment (and cost forecasting) exceptionally difficult for asset owners... But the adversaries are out there, and as shown in #Industroyer2, they are learning. Claiming adversaries will never figure out a cyber physical attack and that the future threat landscape is over hyped seems unhelpful, or motivated by feelings less than altruistic.

🎙️ New episode of the Aperture podcast out now! Joe Slowik joins host @mike_mimoso to talk about #TRITON malware and #XENOTIME. Listen here: https://claroty.com/resources/podcasts/aperture-podcast-joe-slowik-on-xenotime-entity-behind-the-triton-attack