惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
GbyAI
GbyAI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
Recent Announcements
Recent Announcements
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
P
Proofpoint News Feed
NISL@THU
NISL@THU
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
A
Arctic Wolf
F
Full Disclosure
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
博客园 - 【当耐特】
D
Docker
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
Help Net Security
Help Net Security
V
Visual Studio Blog
小众软件
小众软件
B
Blog
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
C
Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Automation is a Tool for Analysts - Not Vice Versa
Intel 471 · 2020-05-06 · via Intel 471 Blog

The siren song of automation has been an old tune for security marketers for the better part of two decades at this point. Security vendors have promised that automation will solve the security skills gap. That it will make it possible for SOC teams to do more with fewer people. That it will revolutionize security analyst workflows. That it will reduce alert fatigue and solve analyst burnout.

And yet, here we are in 2020 with plenty of security teams still battling false positives and false negatives the same as always and disabling more automated workflows than ever. So what gives? Why hasn’t automation lived up to the promises of the past?

One of the big problems with effective automation is the current threat landscape heavily complicating analysis and response to threats. Many years ago, when automation was being touted as the fix for strained or ineffective SOCs, straying from the standard workflow wasn’t a regular occurrence. However, as the threat landscape has evolved, so have our defenses, forcing attackers to innovate and overcome. This means many AI models, machine learning models and workflows that drive automation have to be reimagined, not just improved.

Back in the first waves of security automation investment and hype, we would see the same attack, with the same indicators and schema, or a similar-looking domain, maybe with a character changed here and there to beat simple detection signatures. I remember several instances where an APT actor would use the same IP for years. In that environment, AI-backed automation and consistent response workflows would have enough stable data to start to form very good models for accurate and effective automation. That simplicity is unheard of now.

WHERE WE REALLY STAND WITH AUTOMATION

Techniques are changing constantly, and more than just a simple character shift or slight edit. The ability of models to detect these constant shifts is not quite there yet. And trying to feed all of that into a model is exhausting and difficult. Which means that the human still has to be a big part of the decision-making process because we’re still the ones that can reliably and effectively make that decision of whether something’s a true positive or false positive, and keep a sharp look out for the false negatives where the system doesn’t even alert because the model is not able to detect the latest update or version of an attack or malware.

Now, this isn’t to say that automation has no role in the SOC. Certain kinds of automation can be extremely beneficial for security analysts, but we have to think more of micro-automations. Thinking about small parts of the overall workflow, such data collection, which is typically the number one time suck for an analyst today, can have a profound effect on your operation. When an analyst gets a user-based alert that they need to run down, automation can be invaluable to collect information from all the right sources and present it in a unified manner—which can sometimes take as much as 20 minutes to do for every initial investigation that needs to be made. Thinking smaller, enables more human analysis, validation and verification before moving to mitigation and response. Once you start getting past triage, the case for across-the-board automation gets a lot trickier.

A lot of companies have touted automated triage for years, but the problem is there are many situations in real-world organizations where automated containment, for example, is not going to fly. If you have an automated system isolate the machine of a VIP or critical system based on an alert without an analyst taking a look first, it can cause big problems. Although many systems can take this into account, the inclusion of the human can prevent costly mistakes where automation does too much. This is just one example of many where human intervention and decision-making breakpoints need to be included in the process.

AUTOMATION AS A TOOL

The point is, automation is a tool for analysts and not vice versa. Analysts shouldn’t be contorting themselves to make automation work—if a piece of security automation adds more problems and work into the triage and response process than it solves, then it probably isn’t good automation in the first place. As an industry, we must tread carefully as we figure out the right level of automation and human intervention that makes sense for meaningfully reducing risk to the enterprise

Cyborg is all about supporting today’s security analysts with pertinent information that isn’t just fluff. Continue reading how in our post Network Content and You: Why Logs Matter in the Age of TLS/SSL.