惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
D
DataBreaches.Net
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
S
Secure Thoughts
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
腾讯CDC
GbyAI
GbyAI
G
Google Developers Blog
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
Jina AI
Jina AI
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
J
Java Code Geeks
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
H
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
S
Security Affairs
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Last Week in AI
Last Week in AI

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Why You Need Internal SOC Analysts With Hands on Keyboards
Intel 471 · 2020-05-19 · via Intel 471 Blog

Over the years, many security organizations of all sizes have turned to SOC services offered by MSSPs and MDR providers to help supplement and replace internal security analysts. Whether it is to save money, quickly ramp up expertise in a certain areas like threat hunting, or to contend with long-term struggles in analyst recruitment, these arrangements certainly have their place in the world of security operations. However, they’re far from a magic wand for solving all of a SOC’s problems.

Even the best outsourced analyst still can never quite replace the utility and organizational fit offered by even just moderately skilled SOC analysts with hands on keyboards within your team. As someone who worked for one of those service providers for a long time, I can tell you from first-hand experience that you’re never going to get people as knowledgeable and as integrated into your teams as someone on company payroll.

Many organizations are recognizing this, which is why we’re starting to see the pendulum swing back to the desire to insource more SOC functionality these days. I believe that striking a good balance is key—even if you maintain SOC services, it’s crucial to maintain a core team of SOC and response analysts in house. Here’s why.

Internal analysts will always have access to more data than service provider analysts. Even with MDR and other services that assign your organization a point person to walk your organization through the process of incident analysis and response, these people are likely going to be asking a lot of questions to complete their investigations. There are frequently breaks in analysis in these situations because there are only so many data feeds and access points that your organization will be able to offer a third-party on an ongoing basis. They still need someone in-house to provide them with information or documentation on an ad hoc basis. This leads to the request, wait, request, wait scenarios slowing response and potentially mitigation efforts.

NO ONE KNOWS YOUR ORGANIZATION’S SYSTEMS LIKE AN INTERNAL TEAM

When I worked for a service provider, we had our own documentation about our customer, but we rarely had access to their documentation about their own tools. Although we could keep track of whatever we learned about their tool set, we were always outside looking in. Internal staff can prove invaluable to bridge that knowledge gap and carry the institutional memory that can make all the difference in understanding if something truly bad is happening or if an internal system is just doing the wonky thing that it always does in a given situation.

THE IR BUCK STOPS WITH INTERNAL ANALYSTS

Having a team of internal analysts at the ready—even if they’re dual-hatting with other duties—can be a crucial success factor in ramping up for a major security incident. While an outsourced provider may be the ones who tip the organization off to a problem, the buck stops in-house with internal people. They’re the ones who will be working at 10 p.m. on a Friday to escalate and inform stakeholders across the business. You need them to coordinate response internally and externally and work the incident. The important thing to remember is that internal analysts maintain personal connections with crucial company stakeholders and other teams outside the SOC in a way that external analysts never can. That inner communication and personalization of having someone on your team who knows your people and knows your process is indispensable.

BURNOUT IS REAL

Organizations should also be careful that they maintain enough of these internal analysts that nobody is regularly overburdened. One of the bigger Issues that I used to run into as an outsourced analyst was when I’d work an incident with a company that maybe only had one or two internal people. Those skeleton crews were asked to do too much work to see the company through their incidents. They were often junior people who would obviously become quickly disgruntled because they were doing the work of what should have been shouldered by an entire team. And then their employers would scratch their heads when these folks would leave.

So rather than thinking about how to make things more efficient by cutting internal SOC staffers, it’s crucial that organizations plan for how to arm these people with better tools and improved training. Even when your organization is using service providers to fill in gaps, your internal people are a vital part of the SOC ecosystem.

Read more from Brandon Denker, Cyborg’s Director of Research and Intelligence, in his blog Automation is a Tool for Analysts - Not Vice Versa.