That feeling you get when you detect the red teamer before the MSSP and EDR do.
@buherator
Thankfully, not that bad. I don't miss working for those shops.
@infoseclogger @buherator They fire up the noisiest scanner?
Doing recon and tripped a monitored behavior. Not necessarily a honeypot, but a take a closer look alert.
@infoseclogger @buherator A good defense is a good defense, listen to the wires, Neo.
@infoseclogger CSOCs should be allowed to respond to red teams with goofy network configs. Troubleshoot this MTU and dACL.
@infoseclogger my SOC always detected the red team shortly after their engagement started and without fail they had promised to tell us which systems they were testing so we wouldn't be alarmed, but did not. Every. Damn. Time. It got to the point where one time we aggressively kicked them out and abuse reported every bit of infrastructure they used (knowing full well that it was them AND that they reused those domains and hosts across multiple engagements) because they made us so sick of the bullshit broken promises.
What tipped you off?
(Edit: saw your other reply saying what after I posted this)