惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
H
Heimdal Security Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
The Last Watchdog
The Last Watchdog
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
D
DataBreaches.Net
I
Intezer
Webroot Blog
Webroot Blog
C
Cisco Blogs
AWS News Blog
AWS News Blog
博客园 - 聂微东
T
The Blog of Author Tim Ferriss
V
Vulnerabilities – Threatpost
罗磊的独立博客
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 叶小钗
PCI Perspectives
PCI Perspectives
D
Docker
Scott Helme
Scott Helme
NISL@THU
NISL@THU
J
Java Code Geeks
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
AI
AI
美团技术团队
Cloudbric
Cloudbric
月光博客
月光博客
P
Proofpoint News Feed
T
Tailwind CSS Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Introducing Intel 471’s Cybercrime Underground General Intelligence Requirements (CU-GIR): a common framework to address a common challenge
Intel 471 · 2020-02-27 · via Intel 471 Blog

By Michael DeBolt, Vice President of Intelligence.

In the last blog, I outlined three key benefits of a requirements-driven intelligence program. We also looked at three challenges that are preventing many programs from moving from concept to practice.

If you didn’t read it, here’s the TL;DR version:

I promised also to share details of how our approach at Intel 471 has helped to empower intelligence teams to tackle these challenges effectively, in the hope that this will assist others to navigate the same journey.

With this in mind, let’s pose the question again… “How to build a requirements-driven intelligence program?”

Adding new tires to existing wheels

As we thought about addressing this challenge at Intel 471, we sought inspiration from existing and proven frameworks and processes.

United States Marine Corps (USMC) “GIR” framework

As a framework, the USMC Intelligence Activity has long used “Generalized Intelligence Requirements (or “GIRs”) to assist human intelligence (HUMINT) collectors in the physical areas they operate. Collectors use a set of prescribed GIRs as a baseline tool to spot and assess collection opportunities against common observables they might encounter in the field.

U.S. Marine Corps GIRs are organized into handbooks for each type of environment Marines typically encounter. For example the UGIRH (PDF) covers commonly asked intelligence requirements when operating in an urban environment. There also is a mountain GIR, and so on.

Could we create a GIR-like framework based on the cybercrime underground?

A framework is great, but without a solid process to apply it against, it becomes useless. Enter the U.S. Intelligence Community’s process for prioritizing requirements across multiple stakeholders. This is a system of collating, weighting, scoring and prioritizing intelligence requirements to produce guidance for collectors and analysts in the field. Every requirement is mapped directly to the stakeholder asking for it. In short, everyone knows what success looks like and how exactly to achieve it.

Could we implement a similar process against a GIR-like framework?

Introducing: Cybercrime Underground General Intelligence Requirements (CU-GIR)

Intel 471’s Cybercrime Underground General Intelligence Requirements (or simply “GIRs”) is a compilation of frequently asked questions or topics based on common observables in the cybercrime underground. Roughly 180 GIRs are organized under a nested tree structure under the following six categories:

Cybercrime Underground General Intelligence V2 web 296x300

GIRs are organization-agnostic

The GIR framework allows for consistent and standing coverage of commonly observed and generalized threats to industry, sector, supply chain and geographic areas of interest, taking advantage of the highly “organized” characteristic of the cybercrime underground, which we outlined in a previous blog.

Conversely, organization-specific intelligence requirements (or “OSIRs”) are custom requirements based on needs unique to an organization or stakeholder. This includes specific infrastructure, technologies, brands, services, and more. We will cover OSIRs in a later blog.

GIRs are mapped to intelligence consumers and use cases

Each GIR maps to typical stakeholders and use cases where cyber threat intelligence (CTI) teams need to produce intelligence. Essentially, GIRs are ready-made intelligence requirements that can be used to bootstrap discussions with your stakeholders.

GIRs are not simple tags

Taking it a step further, each GIR includes a definition and specific essential elements of information (EEIs) that need to be addressed to fulfill or satisfy a particular GIR. As an analyst, these are the questions I will seek to address in my report or deliverable to satisfy a particular stakeholder use case. When content is marked or tagged with a GIR, it means that it fills a gap in knowledge.

For example, GIR 3.1 contains three child GIR entries for the common IaaS types along with the relevant EEIs an analyst needs to address in an intelligence deliverable that satisfies a stakeholder’s use case.

GIRs allow for a range in specificity

GIRs are situated in a nested tree structure to allow for a range in specificity and flexibility in its utility. For example, by addressing the EEIs of a specific child GIR entry, an analyst inherently satisfies the corresponding parent entry.

The graduation of these GIRs across a range of depths, allows organizations to refine their requirements over a period of time to focus on any areas of concern and to address both their specific, granular requirements as well as supporting their broader strategic needs.

How does Intel 471 use the GIR framework?

At Intel 471, CU-GIRs underpin everything we do. GIRs are used as our primary baseline tool to collect, classify and report frequently observed information found in the underground.

Prioritized and focused collection

Customers use our handbook to select and rank subsets of GIRs that are aligned to their stakeholders and use cases. These become client Priority Intelligence Requirements (PIRs). Intel 471 weighs and scores all PIRs and uses the resulting list to prioritize and steer standing collection and production efforts. Using this approach, we also gain insight into priority requirements across industry verticals.

Structured intelligence content and automated routing

Each Intel 471 deliverable is tagged with the applicable GIR or GIRs and automatically highlighted to clients who have matching PIRs.

Measured intelligence production

Synchronizing client PIRs to GIRs gives us a reliable method to measure the value of our intel production against our client needs over time. And, in turn, it gives our clients the ability to objectively measure their support to their own internal stakeholders.

Can other intelligence teams use the GIR framework?

Hopefully it’s clear by now that we want to share the CU-GIR framework with the industry to help empower intelligence teams. We created a handbook called the CU-GIRH, similar to the U.S. Marine Corps UGIRH mentioned previously in this blog, which serves as a baseline tool to assist organizing, prioritizing, producing and measuring production of cybercrime intelligence. Our hope is that it will help for you in whatever stage your CTI program, whether you are bootstrapping a new team or revisiting existing processes.

Still work to be done… and we want your input

At Intel 471, we have seen 1 1/2 years of real-world success by proving the concept of CU-GIRs both internally and with our customers. But this is only the beginning. Like any newly proposed framework or idea, the GIRs is a work in progress. We are eager to see where it goes next.

Currently, a subset of the CU-GIRs are mapped to the top-level of Mitre’s ATT&CK framework. We also are in the early stages of interlacing the CU-GIR framework with FAIR to help inform risk-based decisions and action. We also envision the creation of separate GIR frameworks for coverage of other environments where intelligence collection and production is needed, such as physical security, executive protection, and more. These projects are ongoing and will require feedback and input from the community to get them right.

Ultimately, we are sharing this framework because it provides a practical approach to implement a requirements-driven program, which is a challenge many intelligence teams experience across industry verticals and within both vendor and consumer spaces. Share your thoughts and ideas on this important subject and collaborate with us to further refine the next iteration of the GIR framework. Will GIRs solve all the problems related to intelligence collection and production? No it won’t. But we believe it can help a great deal!