John Shier

@[email protected]
164 Followers
326 Following
20 Posts

Field CISO - Threat Intelligence @ Sophos

I do research into all things infosec and then talk about it to whoever wants to hear about it.

Twitter@john_shier
Show threadJohn ShierJan 28
@johnleonard Is there a correlation between the 50% who don't believe it's a bubble and those who've made significant investments in AI?
Show threadJohn ShierSep 23

@thomasareed Science Based Medicine had a good article about this nonsense a couple of weeks ago: https://sciencebasedmedicine.org/tylenol-and-autism/

You can also hear Dr. Novella talking about it on the SGU podcast ep. 1053.

Tylenol and Autism

Earlier this year, HHS secretary RFK Jr. predicted that, "By September, we will know what has caused the autism epidemic and we'll be able to eliminate those exposures." Scientists have been researc

Science-Based Medicine
John ShierMay 3, 2025
Max LeibmanMay 3, 2025

No, I do not want to install your app.

No, I do not want that app to run on startup.

No, I do not want that app shortcut on my desktop.

No, I do not want to subscribe to your newsletter.

No, I do not want your site to send me notifications.

No, I do not want to tell you about my recent experience.

No, I do not want to sign up for an account.

No, I do not want to sign up using a different service and let the two of you know about each other.

No, I do not want to sign in for a more personalized experience.

No, I do not want to allow you to read my contacts.

No, I do not want you to scan my content.

No, I do not want you to track me.

No, I do not want to click "Later" or "Not now" when what I mean is NO.

John ShierApr 7, 2025
Dare ObasanjoApr 7, 2025
At this rate MAGA will only be able to afford to rent the libs.
Show threadJohn ShierApr 2, 2025

@TindrasGrove @adamshostack @SophosXOps Yes, but we try to identify the most granular method used given the evidence that's available to the responders. Since these are root causes, the most specific one gets listed. Think of it as compromised creds via phishing or via brute force.

Sometimes, all we know is the attacker used valid creds, by successfully logging into a VPN, but we don't know where the creds came from, so that's all we can say.

John ShierApr 2, 2025
Sophos X-OpsApr 2, 2025

Today we released the 2025 Sophos Active Adversary Report (AAR), looking at data from 413 incident-response cases handled by our X-Ops MDR and IR teams in 2024. This edition of the report has a number of interesting findings, a vastly expanded dataset, and -- in honor of our fifth anniversary -- a gift for the curious. /1

https://news.sophos.com/en-us/2025/04/02/it-takes-two-the-2025-sophos-active-adversary-report/

It takes two: The 2025 Sophos Active Adversary Report

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you

Sophos News
John ShierApr 2, 2025
Kevin BeaumontApr 2, 2025

The 2025 Sophos Active Adversary Report is out.

I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Key take aways for me:

- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.

It is not hopeless and by active monitoring you *can* stop attackers.

It takes two: The 2025 Sophos Active Adversary Report

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you

Sophos News
Show threadJohn ShierApr 2, 2025
@earthshine @GossiTheDog It's often abused to create multipart archives for easier exfiltration. If the org doesn't need to use WinRAR, in favour of built-in archiving tools, might as well block whatever you can. Reduces the attack surface.
John ShierApr 2, 2025

@nopatience @argv_minus_one @GossiTheDog Agreed. There are very robust defensive controls that exist before you get to smart cards.

Over half of the orgs in the dataset are under 250 users. They don't have the time, money, or the expertise to deal with smart cards.

Show threadJohn ShierApr 2, 2025

@RaulV @GossiTheDog This is mostly due to how data gets collected. We often don't get the opportunity to see all the logs (or sometimes any of them) for all the systems involved. So, the best we can say is compromised credentials. Attacker walks in the front door with a valid u/p. It's important to stick with what you can prove.

Another aspect to this are IABs and infostealers. The creds could have been stolen ages ago but get abused months later. We have seen those cases and we do attribute them to phishing when we can. But again, missing logs (47%) are a problem. For example, log retention is the #3 reason for missing logs in this dataset.

Your shock is not misplaced. I think the real percentage is a lot higher, but again, we're constrained by the data available to our responders.