Threat hunting, intelligence feeds, IOC analysis, and adversary tracking
148 total articles
YARA is a pattern-matching language designed specifically for identifying and classifying malware. Created by Victor Alvarez at VirusTotal, YARA allows security researchers and detection engineers to write rules that describe malware families based on textual or binary patterns found in files, memor
A Threat Intelligence Platform (TIP) is a technology system purpose-built to manage the full lifecycle of threat intelligence: collecting indicators and context from multiple sources, processing and deduplicating that data, enriching it with analyst context and confidence scoring, and distributing a
STIX and TAXII are a pair of open standards developed under OASIS Open that together define how threat intelligence is structured and how it travels between systems.
SOC metrics and KPIs (Key Performance Indicators) are the quantitative measurements that tell an organization whether its Security Operations Center is doing its job.
Alert fatigue is the state in which security analysts become desensitized to security alerts because the volume of incoming alerts exceeds the cognitive capacity to review them meaningfully.
An incident response retainer is a pre-negotiated contract with an IR (incident response) firm that guarantees access to the firm's expertise and resources when a security incident occurs.
# The Cyber Dimensions of the Russia-Ukraine War ## Definition and Overview The Russia-Ukraine War, which escalated into full-scale invasion on February 24, 2022, is the first major armed conflict in which a persistent, multi-year cyber campaign has operated alongside conventional military operation
# Critical Infrastructure Targeting: A Global Assessment ## Definition and Overview Critical infrastructure refers to the systems and assets whose incapacitation or destruction would have a debilitating effect on national security, economic security, public health, or public safety.
# The Commercial Spyware Industry ## Definition and Overview Commercial spyware, also known as mercenary spyware or stalkerware at the consumer level, refers to surveillance software developed and sold by private companies to government clients for the purpose of covertly monitoring targets' devices
Extended Detection and Response (XDR) is a security architecture that unifies telemetry from endpoint, network, cloud, email, and identity sources into a single platform, then applies correlated detection and automated response across all of those sources simultaneously.
Sigma is a vendor-neutral, open specification for writing threat detection rules in a format that can be converted into the query language of any Security Information and Event Management (SIEM) platform.
User and Entity Behavior Analytics (UEBA) is a security technology discipline that establishes statistical baselines for the normal behavior of users, devices, applications, and service accounts across an environment, then detects deviations from those baselines that indicate potential compromise, i
Ransomware-as-a-Service (RaaS) is a criminal business model in which a core development group builds and maintains ransomware infrastructure, then licenses access to that infrastructure to a network of paying affiliates who conduct the actual intrusions and deploy the malware.
Network forensics is the capture, recording, and analysis of network traffic for the purpose of investigating security incidents, reconstructing attacker activity, and quantifying data movement across organizational boundaries.
Memory forensics is the discipline of acquiring, preserving, and analyzing the contents of a computer's volatile memory (RAM) to reconstruct attacker activity, identify malicious code, and recover artifacts that exist nowhere else in a compromised system.
Double extortion is a ransomware attack model in which the attacker both encrypts the victim's data and exfiltrates a copy of that data before encryption occurs.
Disk forensics is the examination of non-volatile storage media (hard drives, SSDs, USB drives, memory cards, and similar devices) to recover evidence of system activity, user behavior, and attacker actions.
A distributed denial-of-service (DDoS) attack is an attempt to make a network resource, server, or service unavailable by overwhelming it with traffic from multiple sources simultaneously.
Rhysida is a ransomware group that appeared publicly in May 2023 and has, within roughly two years of operation, established itself as a significant threat to healthcare, education, government, and cultural institutions.
Conti was a Russia-linked ransomware operation active from roughly mid-2020 through May 2022. At its peak, it was the most prolific ransomware group in the world, responsible for attacks on hundreds of organizations across critical infrastructure, healthcare, government, and financial services.
Black Basta is a ransomware group that emerged in April 2022, approximately one month after the Conti ransomware operation began collapsing under the weight of its leaked internal data.
# Stuxnet: The First Cyber Weapon ## Overview Stuxnet is the most consequential piece of malware ever deployed.
# Microsoft Midnight Blizzard Breach (2024) ## Overview In January 2024, Microsoft disclosed that APT29, the Russian Foreign Intelligence Service (SVR) hacking unit tracked under the name Midnight Blizzard, had breached the email accounts of senior Microsoft executives.
# Kaseya VSA Supply Chain Attack ## Overview On July 2, 2021, the REvil ransomware group executed one of the most sophisticated supply chain attacks in cybersecurity history.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
APT28 is a Russian military intelligence cyber espionage and information warfare unit operating under the GRU (Glavnoye Razvedyvatelnoye Upravleniye), specifically Unit 26165 of the 85th Main Special Service Center (GTsSS).
On June 27, 2017, a cyberattack disguised as ransomware detonated simultaneously across thousands of organizations on six continents.
In late May 2023, the Cl0p ransomware group exploited a zero-day SQL injection vulnerability in MOVEit Transfer (CVE-2023-34362) to exfiltrate data from more than 2,700 organizations and expose personal information belonging to more than 90 million individuals.
On December 9, 2021, a security researcher disclosed a critical remote code execution vulnerability in Apache Log4j 2, a Java logging library embedded in thousands of enterprise applications worldwide.
A threat intelligence overview of second-tier state cyber actors beyond the Big Four, covering Vietnam's APT32/OceanLotus operations, India's SideWinder campaign activity and commercial spyware use, Turkey's StrongPity and diaspora targeting operations, and the broader proliferation of offensive cyber capabilities to nation-states with regional ambitions.
An analytical assessment, based entirely on open-source reporting and historical precedent, of how cyber operations would likely feature in a cross-strait conflict scenario, covering documented PRC pre-positioning, likely operational objectives, global spillover risk, and defensive implications for critical infrastructure organizations.
An analysis of the convergence between state intelligence operations and criminal activity in cyberspace, with detailed examination of APT41, North Korea's Lazarus Group financial theft model, Russia's use of criminal infrastructure, and the attribution challenges created when state and criminal operations use the same tools and actors.
An analysis of how cyber operations integrate with information operations, economic pressure, and kinetic military action in hybrid warfare, covering Russia's doctrine and practice from Crimea through the 2022 full-scale invasion of Ukraine, and the implications for critical infrastructure defenders.
Pegasus is a commercial surveillance tool developed by Israel's NSO Group and sold exclusively to government clients. Investigative work by Forbidden Stories, Amnesty International, and a global consortium of journalists revealed systematic targeting of journalists, human rights defenders, lawyers, and heads of state, exposing a structural failure in the regulatory frameworks governing the commercial spyware industry.
The 2015 and 2016 cyber attacks on Ukraine's power grid were the first confirmed instances of cyber operations causing real-world electricity outages. Attributed to Russia's Sandworm team, these attacks demonstrated that adversaries could cross the operational technology boundary and cause physical consequences at scale, permanently raising the stakes for critical infrastructure security.
WannaCry was an EternalBlue-powered ransomware worm that infected 200,000+ systems across 150+ countries in four days. Attributed to North Korea's Lazarus Group, it exposed how an unpatched two-month-old vulnerability and a leaked NSA exploit could cascade into a global infrastructure crisis.
In February 2016, North Korea's Lazarus Group exploited months of persistent network access inside Bangladesh Bank to submit 35 fraudulent SWIFT payment instructions to the Federal Reserve Bank of New York, attempting to steal $951 million. Five transfers totaling $101 million were processed before risk filters triggered. $81 million reached Philippine casinos and was never recovered. The attack exposed a systemic vulnerability in the global financial messaging network: SWIFT's security is only as strong as the weakest connected institution.
Between 2014 and 2015, Chinese state-sponsored threat actors (assessed as APT10/Deep Panda) compromised the U.S. Office of Personnel Management and exfiltrated records on 4.2 million current and former federal employees plus SF-86 security clearance application data on 21.5 million individuals. The SF-86 breach gave a foreign intelligence service a near-complete map of the U.S. national security workforce along with the most sensitive personal information the government collects.
In December 2013, attackers compromised a third-party HVAC vendor to steal credentials, pivot into Target's internal network, and deploy RAM-scraping malware across 1,797 stores, ultimately exfiltrating 40 million payment card records and 70 million PII records. The breach is notable not only for its scale but for the fact that security tools detected the malware and fired alerts days before public disclosure — alerts that were ignored.
How attackers modify existing accounts to maintain access and escalate privileges. Account manipulation (MITRE ATT&CK T1098) is a persistence technique that targets existing trusted accounts rather than creating new ones, making it harder to detect. Covers cloud credential additions, email delegation abuse, SSH key injection, and cloud role escalation.
How attackers acquire capabilities and infrastructure before the attack begins. Resource development (MITRE ATT&CK TA0042) is the pre-attack tactic that occurs entirely outside the victim environment, covering domain acquisition, infrastructure compromise, malware development, and persona establishment.
How attackers run malicious code on target systems. Execution is MITRE ATT&CK TA0002, the tactic that activates code delivered through initial access or persistence mechanisms. Covers PowerShell, WMI, scheduled tasks, user execution, and detection strategies.
How attackers achieve their final objective through damage-causing techniques, covering the full spectrum from ransomware encryption to data destruction, wiper malware, cryptojacking, and account access removal, with detection strategies and the role of DPS backup integrity in recovery.
How attackers gather data before exfiltration, covering key MITRE ATT&CK TA0009 techniques including email collection, data repositories, cloud storage, staging, and keylogging with detection strategies for each.
How attackers systematically map an environment after gaining initial access, covering key MITRE ATT&CK TA0007 techniques, Active Directory enumeration tools, cloud discovery methods, and detection strategies.
A comparative analysis of the Cyber Kill Chain and MITRE ATT&CK frameworks, covering their structure, strengths, limitations, and practical applications, with guidance on when to use each and how they work together as complementary models.
The Diamond Model of Intrusion Analysis is a structured analytic framework built on four vertices (adversary, victim, infrastructure, capability) and the relationships between them, enabling analysts to pivot from any known indicator to discover unknown elements of a threat campaign.
A structured methodology for building and testing threat hunting hypotheses, covering the hypothesis-driven model, the eight-step development cycle, data source requirements, and how confirmed findings feed back into persistent detection engineering.
Reconnaissance is the phase of an attack in which the adversary gathers information about the target before taking any direct action against it.
On July 19, 2024, at 04:09 UTC, CrowdStrike deployed a content configuration update to its Falcon sensor endpoint protection platform.
Data exfiltration is the unauthorized transfer of data from a target environment to attacker-controlled infrastructure.
Command and Control (C2) is the tactic adversaries use to communicate with systems they have compromised inside a target environment.
On September 15, 2022, an attacker affiliated with the Scattered Spider threat ecosystem breached Uber's corporate network and announced the compromise inside Uber's own internal Slack workspace.
The Equifax data breach stands as one of the most consequential data security failures in United States history.
Cl0p is the threat actor responsible for the largest single data theft campaign in recorded history.
FIN7 is the most financially successful criminal hacking group ever tracked by law enforcement and the security research community.
Turla is one of the oldest and most technically sophisticated nation-state cyber espionage groups ever documented.
Sandworm is Russia's most destructive cyber unit, responsible for the most damaging cyberattacks ever recorded.
APT41 is a Chinese state-sponsored threat actor that conducts both government-directed espionage and financially motivated cybercrime.
BlackCat, also tracked as ALPHV and Noberus, was the most technically sophisticated ransomware operation in the criminal ecosystem during its active period from late 2021 through early 2024.
Defense evasion is the adversary's discipline of avoiding detection while pursuing their objectives.
Credential access is the attacker's path from presence to power. An initial foothold on a single endpoint has limited value.
Persistence is the attacker's answer to a single, brutal problem: every reboot, every password reset, every reimaged endpoint could end the intrusion.
Operational runbook for threat hunting sprint procedures.
Operational runbook for threat intelligence feed management procedures.
Analysis of ai-powered threat detection systems and implications for cybersecurity professionals.
Reference architecture and design patterns for threat intelligence platform architecture implementation.
Deploy and operate a threat intelligence platform for IOC management, feed integration, and intelligence sharing.
Practice hypothesis-driven threat hunting using MITRE ATT&CK framework techniques.
Analysis of Midnight Blizzard compromise of Microsoft via OAuth application abuse.
Technical analysis of Pikabot loader emergence as Qakbot replacement.
Analysis of DarkGate MaaS platform combining loader, RAT, and info-stealer capabilities.
End-to-end analysis of SocGholish campaigns through to ransomware deployment.
Intelligence on ransomware group negotiation behaviors and preparation frameworks.
Technical analysis of Snake Keylogger credential stealer and exfiltration methods.
Analysis of Kimsuky targeting think tanks, academia, and government for intelligence.
Analysis of Turla advanced tradecraft including satellite C2 and APT infrastructure hijacking.
Technical analysis of KV-Botnet SOHO router proxy network used by Chinese state-sponsored actors.
ChromeLoader browser hijacker evolution from adware to malware distribution via malicious extensions.
Magniber ransomware uniquely targeting consumers and small businesses via web-based delivery at volume.
Analysis of Remcos commercial RAT extensively weaponized by cybercriminal operations.
Deep analysis of Turla/FSB Snake implant, 20-year evolution, and FBI Operation MEDUSA disruption.
Technical analysis of Gootloader JavaScript infection chain via manipulated search results.
Nitrogen campaign using search ads to deliver initial access via trojanized IT tool downloads.
Analysis of Raspberry Robin USB worm propagation and role as initial access broker.
Technical analysis of AsyncRAT capabilities, distribution, and detection across variants.
Profile of Play ransomware closed affiliate model targeting enterprises and government.
Analysis of destructive wiper malware families and defense strategies against data destruction.
Comprehensive analysis of credential theft techniques across MITRE ATT&CK credential access tactic.
Analysis of firmware attacks, hardware implants, and below-the-OS persistence techniques.
Analysis of ransomware negotiation patterns and intelligence for organizational decision-making.
Comprehensive catalog of techniques malware uses to detect and evade analysis sandboxes.
Technical guide to detecting Cobalt Strike across delivery, network, memory, and post-exploitation.
Comprehensive taxonomy of software supply chain attack patterns with real-world examples.
Framework for analyzing multi-vulnerability exploit chains in advanced attacks.
Techniques for fingerprinting and tracking threat actor C2 infrastructure across campaigns.
Analysis of sustained exploitation campaigns targeting Ivanti Connect Secure VPN appliances.
Analysis of CVE-2023-4966 Citrix Bleed mass exploitation by multiple ransomware groups.
Tracking Royal Ransomware to BlackSuit rebrand and connections to former Conti members.
Analysis of BianLian strategic shift from encryption to data-theft-only extortion model.
Overview of info-stealer ecosystem: RedLine, Raccoon, Vidar, Lumma, and credential marketplace economics.
Technical breakdown of SocGholish drive-by download campaigns and ransomware connections.
Technical analysis of IcedID as initial access vector enabling ransomware deployment.
Operational profile of Medusa ransomware triple extortion targeting education, healthcare, government.
Profile of Rhysida ransomware targeting healthcare, education, and government sectors.
Tracking FIN7 evolution from point-of-sale malware through corporate facades to ransomware.
Technical analysis of Qakbot evolution from banking trojan to ransomware initial access broker.
Analysis of Cl0p mass exploitation campaigns targeting file transfer appliances at scale.
Analysis of Emotet evolution, international takedown, and return as malware distribution platform.
Operational analysis of BlackBasta ransomware, Conti lineage, and leaked chat intelligence.
Comprehensive analysis of APT28/Fancy Bear operations, TTPs, and attribution indicators.
Deep analysis of APT29/Cozy Bear SolarWinds campaign TTPs and cloud-focused operations.
Analysis of Lazarus Group financially-motivated and espionage operations from North Korea.
Analysis of Sandworm/GRU Unit 74455 destructive campaigns.
Developing crisis communication plans for security incidents that coordinate messaging across internal and external stakeholders.
Establishing blameless post-mortem processes that extract lessons learned and drive measurable security improvements after incidents.
Producing actionable threat landscape reports that inform leadership about relevant threats and recommended defensive priorities.
Conducting collaborative purple team exercises that combine offensive testing with defensive validation to improve detection.
Implementing SOAR capabilities to automate repetitive security tasks, enrich alerts, and orchestrate response workflows.
Automating the enrichment of security alerts with threat intelligence context to improve analyst decision-making speed.
Establishing a detection engineering practice that systematically develops, tests, and maintains detection rules and analytics.
Building internal malware analysis capabilities for triaging suspicious files and understanding threat actor tooling.
Building correlation rules and analytics that connect related security events across data sources to identify complex attack patterns.
Ensuring incident response capabilities are tested, documented, and ready for activation when security events occur.
Building internal digital forensics capabilities for evidence collection, analysis, and chain of custody management.
Advancing SOC operations from reactive alert handling to proactive threat detection and intelligence-driven response.
Establishing a proactive threat hunting program that identifies threats not detected by automated security controls.
Operating and continuously tuning SIEM systems for effective detection with manageable alert volumes.
Integrating threat intelligence feeds into security operations to improve detection, prioritization, and response decisions.
Step-by-step breach response: detection, containment, investigation, notification requirements, and post-breach improvement.
DNS as a security control: DNSSEC, DNS over HTTPS, protective DNS services, and DNS-based threat detection.
Collaborative purple teaming: planning, execution, detection validation, and continuous improvement cycles.
Direct and indirect prompt injection techniques targeting LLM-powered applications, with detection and mitigation strategies.
Identifying AI-generated media: detection techniques, organizational policies, and defensive strategies against deepfake-enabled attacks.
Threat landscape for AI/ML systems: adversarial attacks, data poisoning, model theft, and prompt injection across the deployment lifecycle.
Deploying deception: honeypots, honeytokens, bread crumbs, and deception networks for early threat detection.
Moving beyond ATT&CK posters: mapping detections, measuring coverage, identifying gaps, and driving security investment.
Proactive threat hunting: hypothesis development, data source selection, hunt execution, and operationalizing findings.
Building a threat intelligence capability: collection, analysis, production, and dissemination aligned to organizational decision-making.
Multi-layered ransomware defense: prevention, detection, response, and recovery across the kill chain.
NDR capabilities, deployment architecture, detection techniques, and integration with SOC workflows.
Designing and maintaining IR playbooks: structure, triggers, actions, escalation criteria, and continuous improvement.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
IOCs are forensic evidence of breaches. Effective use requires feed integration, enrichment, and understanding their limitations.
OSINT provides security intelligence from public sources for attack surface monitoring, threat tracking, and adversary research.
The Threat Intelligence Lifecycle transforms raw threat data into actionable intelligence through six structured phases.
Types of indicators of compromise, the IOC lifecycle from collection through expiration, and why quality matters more than quantity.
Continue your mission