Toby Lewis
@tobaslouis.co.uk
Global Head of Threat Analysis at @Darktrace.com
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
Pinned
Toby Lewis
@tobaslouis.co.uk
· Nov 15
#whoami
- Global Head of Threat Analysis at Darktrace:
Cyber Security, AI in Cyber Security, Threat Landscape
- Ex-NCSC & UK Government:
Current affairs, Geopolitics & Nat. Security
- Other things:
Diversity and Inclusivity, Compassionate Leadership, Social Mobility, Mentoring & Coaching
- Global Head of Threat Analysis at Darktrace:
Cyber Security, AI in Cyber Security, Threat Landscape
- Ex-NCSC & UK Government:
Current affairs, Geopolitics & Nat. Security
- Other things:
Diversity and Inclusivity, Compassionate Leadership, Social Mobility, Mentoring & Coaching
Details of the cyber attack at Harrods (as they are with Co-op & M&S) are still low and we shouldn’t rule out that the three incidents impacting the retailers are simply coincidence.
.... 1/2
.... 1/2
Luxury store Harrods is latest retail victim of cyber attackers
Harrods has "restricted internet access" after an attempt to gain access to its systems left some customers struggling to pay for purchases, Sky News can reveal.
news.sky.com
May 1, 2025 at 6:12 PM
Details of the cyber attack at Harrods (as they are with Co-op & M&S) are still low and we shouldn’t rule out that the three incidents impacting the retailers are simply coincidence.
.... 1/2
.... 1/2
Why is @microsoft.com "Teams" plural, when "Word" is not?
Surely a singular Team feels more homely... maybe. Conversely, a singular "Word", feels like about as much effort as I put in my school coursework.
Surely a singular Team feels more homely... maybe. Conversely, a singular "Word", feels like about as much effort as I put in my school coursework.
April 7, 2025 at 9:30 AM
Why is @microsoft.com "Teams" plural, when "Word" is not?
Surely a singular Team feels more homely... maybe. Conversely, a singular "Word", feels like about as much effort as I put in my school coursework.
Surely a singular Team feels more homely... maybe. Conversely, a singular "Word", feels like about as much effort as I put in my school coursework.
Do phishing simulations on April Fools' Day still count?
🤷♂️
🤷♂️
April 1, 2025 at 6:03 AM
Do phishing simulations on April Fools' Day still count?
🤷♂️
🤷♂️
March 3, 2025 at 7:13 PM
New blog post from @darktrace.com, looking at the detection of an Insider Threat in a SaaS application, with the customer supported by our amazing Analyst SOC
Bytesize Security: Insider Threats in Google Workspace | Darktrace Blog
Insider threats pose significant risks due to access to internal systems. Darktrace detected a former employee attempting to steal data from the customer’s Google Workspace platform. Learn about this ...
darktrace.com
January 29, 2025 at 12:41 PM
New blog post from @darktrace.com, looking at the detection of an Insider Threat in a SaaS application, with the customer supported by our amazing Analyst SOC
January 20, 2025 at 6:24 PM
A cautionary tale: not everything suspicious is malicious.
(although, I'd argue everything malicious was indeed suspicious at one point)
(although, I'd argue everything malicious was indeed suspicious at one point)
So, Is Someone Getting Fired, Or…?
Two weeks before Christmas, exactly that happened. It was pandemonium in security. Someone apparently tried really hard to break into our high-sec company by sending out a "gift certificate" to every ...
notalwaysright.com
January 16, 2025 at 10:37 AM
A cautionary tale: not everything suspicious is malicious.
(although, I'd argue everything malicious was indeed suspicious at one point)
(although, I'd argue everything malicious was indeed suspicious at one point)
A new blog post from analysts at @darktrace.com:
The use of phishing kits as part of an AitM attack, increasing an attackers ability and proficiency in stealing legitimate credentials.
... and then simply just logging on.
The use of phishing kits as part of an AitM attack, increasing an attackers ability and proficiency in stealing legitimate credentials.
... and then simply just logging on.
Detecting and mitigating adversary-in-the-middle phishing attacks with Darktrace Services | Darktrace Blog
Threat actors often use advanced phishing toolkits and Adversary-in-the-Middle (AitM) attacks in Business Email Compromise (BEC) campaigns, Discover how Darktrace detected and mitigated a sophisticate...
www.darktrace.com
January 10, 2025 at 12:11 PM
A new blog post from analysts at @darktrace.com:
The use of phishing kits as part of an AitM attack, increasing an attackers ability and proficiency in stealing legitimate credentials.
... and then simply just logging on.
The use of phishing kits as part of an AitM attack, increasing an attackers ability and proficiency in stealing legitimate credentials.
... and then simply just logging on.
Ok Brain Trust: Prove me wrong.
There is no application of cyber attack, where the intended outcome can't be achieved by non-cyber means.
There is no application of cyber attack, where the intended outcome can't be achieved by non-cyber means.
January 7, 2025 at 1:47 PM
Ok Brain Trust: Prove me wrong.
There is no application of cyber attack, where the intended outcome can't be achieved by non-cyber means.
There is no application of cyber attack, where the intended outcome can't be achieved by non-cyber means.
One of my 2025 resolutions is to write more, including reinvigorating my cyber security focussed blog, which took a bit of a hiatus in the latter half of 2024.
I've got a few ideas lined up already, but what would you like to see me write about?
I've got a few ideas lined up already, but what would you like to see me write about?
Common Sense Security | Toby Lewis | Substack
Removing the FUD from Cyber Security. Click to read Common Sense Security, by Toby Lewis, a Substack publication. Launched 2 years ago.
tobylewis.substack.com
January 2, 2025 at 11:35 AM
One of my 2025 resolutions is to write more, including reinvigorating my cyber security focussed blog, which took a bit of a hiatus in the latter half of 2024.
I've got a few ideas lined up already, but what would you like to see me write about?
I've got a few ideas lined up already, but what would you like to see me write about?
Interesting OpSec aspect with regards to the BeyondTrust compromise.
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
December 31, 2024 at 12:19 PM
Interesting OpSec aspect with regards to the BeyondTrust compromise.
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
US Treasury announce network breach by “Chinese Actors” via cybersecurity vendor BeyondTrust.
BeyondTrust specialise in Privileged Access Management.
In other words, they have the power to access or generate one-time-use Admin credentials for their customer networks.
BeyondTrust specialise in Privileged Access Management.
In other words, they have the power to access or generate one-time-use Admin credentials for their customer networks.
US Treasury says it was hacked by China in 'major incident'
A Chinese state-sponsored hacker broke into the US Treasury Department's systems in what is being called a "major incident".
www.bbc.com
December 30, 2024 at 10:47 PM
US Treasury announce network breach by “Chinese Actors” via cybersecurity vendor BeyondTrust.
BeyondTrust specialise in Privileged Access Management.
In other words, they have the power to access or generate one-time-use Admin credentials for their customer networks.
BeyondTrust specialise in Privileged Access Management.
In other words, they have the power to access or generate one-time-use Admin credentials for their customer networks.
New blog post by analysts from @darktrace.com:
Detecting the exploitation of internet-facing File Transfer Servers, exploiting CVE-2024-50623
Detecting the exploitation of internet-facing File Transfer Servers, exploiting CVE-2024-50623
Cleo File Transfer Vulnerability: Patch Pitfalls and Darktrace’s Detection of Post-Exploitation Activities | Darktrace Blog
File transfer applications are prime targets for ransomware groups due to their critical role in business operations. Recent vulnerabilities in Cleo's MFT software, namely CVE-2024-50623 and CVE-2024-...
darktrace.com
December 17, 2024 at 12:30 PM
New blog post by analysts from @darktrace.com:
Detecting the exploitation of internet-facing File Transfer Servers, exploiting CVE-2024-50623
Detecting the exploitation of internet-facing File Transfer Servers, exploiting CVE-2024-50623
New blog post by analysts from @darktrace.com
- a review of recent exploit campaigns against Palo Alto firewalls which are then used as a launch point into customer networks.
- a review of recent exploit campaigns against Palo Alto firewalls which are then used as a launch point into customer networks.
Darktrace’s view on Operation Lunar Peek: Exploitation of Palo Alto firewall devices (CVE 2024-2012 and 2024-9474) | Darktrace Blog
Darktrace’s Threat Research team investigated a major campaign exploiting vulnerabilities in Palo Alto firewall devices (CVE 2024-2012 and 2024-9474). Learn about the spike in post-exploitation activi...
darktrace.com
December 10, 2024 at 12:12 PM
New blog post by analysts from @darktrace.com
- a review of recent exploit campaigns against Palo Alto firewalls which are then used as a launch point into customer networks.
- a review of recent exploit campaigns against Palo Alto firewalls which are then used as a launch point into customer networks.
New blog post by analysts @darktrace.bsky.social - detecting the use of AiTM Phishing Kits, including MFA bypass, by attackers.
A snake in the net: Defending against AiTM phishing threats and Mamba 2FA | Darktrace Blog
Phishing-as-a-Service (PhaaS) platforms have lowered entry barriers for cybercriminals, leading to sophisticated AiTM phishing attacks. Darktrace's AI-driven solutions, including Darktrace / EMAIL, ef...
darktrace.com
December 5, 2024 at 3:39 PM
New blog post by analysts @darktrace.bsky.social - detecting the use of AiTM Phishing Kits, including MFA bypass, by attackers.
I can only read this in the voice of the guy who reads out the Football results.
December 4, 2024 at 3:30 PM
I can only read this in the voice of the guy who reads out the Football results.
‘Tis the season to…
… be constantly picking up dropped pine needles off the floor
… be constantly picking up dropped pine needles off the floor
December 1, 2024 at 3:28 PM
‘Tis the season to…
… be constantly picking up dropped pine needles off the floor
… be constantly picking up dropped pine needles off the floor
Reposted by Toby Lewis
November 30, 2024 at 2:42 PM
New blog post by analysts at @darktrace.bsky.social - detecting SaaS account compromise including the use of multiple VPN access points by threat actors.
Behind the veil: Darktrace's detection of VPN exploitation in SaaS environments | Darktrace Blog
A recent phishing attack compromised an internal email account, but Darktrace’s advanced AI quickly intervened. By identifying unusual activity across email and SaaS environments, Darktrace uncovered ...
darktrace.com
November 27, 2024 at 9:54 PM
New blog post by analysts at @darktrace.bsky.social - detecting SaaS account compromise including the use of multiple VPN access points by threat actors.
Nuances become lost when arguments are oversimplified. In this case, both attribution and motivation are reduced into its simplest form.
With attribution, it’s worth considering we’re talking about threats from multiple groups originating, or in support of, Russia’s objectives.
With attribution, it’s worth considering we’re talking about threats from multiple groups originating, or in support of, Russia’s objectives.
Russia ready to wage cyber war on UK, minister to say - BBC News
Pat McFadden will tell a Nato conference that Russia could try to attack British businesses and power grids.
www-bbc-co-uk.cdn.ampproject.org
November 24, 2024 at 12:25 PM
Nuances become lost when arguments are oversimplified. In this case, both attribution and motivation are reduced into its simplest form.
With attribution, it’s worth considering we’re talking about threats from multiple groups originating, or in support of, Russia’s objectives.
With attribution, it’s worth considering we’re talking about threats from multiple groups originating, or in support of, Russia’s objectives.
Only those of a certain age/persuasion will know what this means:
FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8
FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8
November 24, 2024 at 11:00 AM
Only those of a certain age/persuasion will know what this means:
FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8
FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8
Reposted by Toby Lewis
A list of the most popular names for the daughters of drummers:
3. Anna One
2. Anna Two
1. Anna One Two Three Four
3. Anna One
2. Anna Two
1. Anna One Two Three Four
November 22, 2024 at 12:35 PM
A list of the most popular names for the daughters of drummers:
3. Anna One
2. Anna Two
1. Anna One Two Three Four
3. Anna One
2. Anna Two
1. Anna One Two Three Four