John Stoner

The Global Hunt for Putin’s ‘Sleeper Agents’ A quiet suburban mom, a hard-drinking war correspondent and an Arctic researcher were hiding in plain sight, championed by the Kremlin’s No. 1 fan of spy fiction.

Quite the article on illegals operating across multiple countries. Fascinating article from wsj!
www.wsj.com/world/europe...

New to Google Secops: Top Ten YARA-L Rules Troubleshooting Tips I’ve been asked a few times in the past month for tips that I use to troubleshoot YARA-L rules. As I thought about it, I realized this covers a lot of ground because when building detection logic, we ...

My last blog for 2024 is an alliteration of Ts; Top Ten Troubleshooting Tips for YARA-L for Google #SecOps! I hope these tips are helpful and for those who use other #siem solutions that there are helpful nuggets that can be used for your own detections!

www.googlecloudcommunity.com/gc/Community...

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

Loads of great stuff presented at @cyberwarcon.bsky.social and I've posted about a few already, but here's one more to check out, the team at @volexity.com often has interesting stuff to share but this investigation termed "nearest neighbor" is wild stuff www.volexity.com/blog/2024/11...

China’s Surveillance State Is Selling Citizen Data as a Side Hustle Chinese black market operators are openly recruiting government agency insiders, paying them for access to surveillance data and then reselling it online—no questions asked.

Another fun talk from @cyberwarcon.bsky.social was Aurora Johnson and Kyla Cardona from @spycloud.bsky.social discussing user data being sold as it was being pulled from China's vast databases Here's one of their blogs spycloud.com/blog/deep-di... and the story in Wired www.wired.com/story/chines...

Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations | Google Cloud Blog GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.

Fascinating turbo talks on Russia and China information operations by Google TAG analysts Vanessa Molter and Zak Butler @cyberwarcon.bsky.social cloud.google.com/blog/topics/...

Fascinating talk by Mike Torrey from Meta on Russia’s Doppelgänger influence operations and how Meta actively combats it daily @cyberwarcon.bsky.social

That’s a great lineup!

New to Google SecOps: What Difference Does It Make? We’ve previously looked at different functions that can be helpful when working with timestamps. For instance, timestamp.get_timestamp can provide various formats for dates and times to be displayed i...

Anytime I can work The Smiths into my title is a good day for the New to Google Cloud Security #secops blog. We cover a time function to calculate diffs using various time units to be used in rules and searches #threathunting #detectionengineering www.googlecloudcommunity.com/gc/Community...

New to Chronicle: Alert Graph - Part 1 Welcome to a new year, and with it comes a two-part blog on the Chronicle Security Operations platform alert graph. I thought I was going to be able to squeeze it all into a single post, but as I dug further and further, I realized we couldn’t do it justice in a single blog. So, in this first post w...

After a January reset, we're back in a new location with more New to Chronicle goodness. Today, we're looking at how alerts and detections can be viewed in relation to its entities within the Alert Graph.Check this out and much more at the Google Cloud #secops community!

Today I'm going to wrap up our last New to Chronicle blog of the year and share the work we've been doing on getting community rules underway and looking ahead to next year! #secops chronicle.security/blog/posts/n...

In this installment of the Google Cloud New to Chronicle blog series, we take a look at saving, re-using, sharing and template-izing those well crafted searches for others in your organization to benefit from! #secops

chronicle.security/blog/posts/n...

And now for the conclusion to our building our dashboard arc in New to Chronicle, here are tips on formatting and filtering to pass parameters into the dashboard. Then we cover how you can share your dashboards with your friends and neighbors! chronicle.security/blog/posts/n... #secops #siem

Heading to @cyberwarcon.bsky.social tomorrow and looking forward to it, not the drive, but I'll take it in return for the content! #cyberwarcon

This is a bit delayed, but here's my talk from SANS DFIR in Austin on visibility around a Golden SAML attack and subsequent cloud activity in both Azure AD and O365. Big thanks to Heather and Phil and team for giving me an opportunity to present! www.youtube.com/watch?v=Vpgi...