惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Being a cyber threat intelligence analyst and operating in the fog of uncertainty
2017-05-18 · via Intel 471 Blog

By Mark Arena, CEO of Intel 471.

A lot has been said, blogged and marketed on WannaCry ransomware with many pointing fingers at who they think might be behind it. The objective of this blog isn’t to critique, support or disprove any specific hypothesis. The goal is to highlight what it means to be a cyber threat intelligence professional who will most certainly be faced with the reality of incomplete information and/or different levels of uncertainty. The ability to operate and make assessments under a fog of uncertainty is what intelligence analysts do…it’s a core competency!

Ultimately, those analysts willing to stand up publicly or within their respective organization to make a reasoned and well explained assessment should be applauded. My hats off to those intelligence analysts.

The value of attribution

There is a continuous debate in the information security community about the usefulness of attribution. First, attribution is attainable and happens at various levels all the time. Attribution comes in various levels such as a specific person, a group, a nation-state, an general effort, etc. Attribution absolutely can provide valuable insight that is relevant to decision-making at all levels.

As an example, let’s assume that we are a member of the information security team of an organization that had several machines infected with WannaCry. Our machines contained business critical files that were encrypted. Initially, we believe this ransomware is deployed by financially motivated cyber criminals. Conventional wisdom suggests that if you pay a criminal to decrypt your ransomed files, there’s a high probability they will be decrypted. At this point you advise your executives that if you paid the less than $1,000 USD, your systems will likely be decrypted.

You later learn, having not paid for your files to be decrypted yet, that North Korea is the most likely culprit for the ransomware on your systems. Your organization is based in South Korea and is involved with economic policy research. How would the likely attribution of WannaCry to North Korea change how your organization would respond to the ransomed systems?

Dealing with uncertain answers is the name of the game

As a cyber threat intelligence professional, it’s up to us to use our skills and experience to help our intelligence consumers understand the who, what, why, when, how…and what else. A lot of that involves dealing with uncertainty and a lack of information where (at the time) there is no right or wrong answer. At the end of the day the intelligence game is like criminal profiling. You hope that you will be right 99.9% of the time, but you operate under the assumption that you are right 100% of the time because the benefit of doing so greatly outweighs the disadvantages of doing so.

With regards to WannaCry and the companies that publicly expressed their opinion based on who was behind it, congratulations. I was very impressed with the reasoned arguments and confidence levels expressed. Props especially to Neel Mehta from Google, Kaspersky, Symantec, Digital Shadows (big props!) and of course the Intel 471 team. To those that ridiculed the organizations that had the expertise and courage to make and explain their assertions, hopefully you will be part of the cyber threat intelligence community in the future.

Express your opinion, the reasons behind it, your level of confidence and don’t be afraid to be wrong

Don’t be afraid to express your opinion, why you think it, your level of confidence, multiple hypothesis and even highlight your information gaps. On the Intel 471 side, despite publicly saying that we believed North Korea was the most likely culprit for WannaCry, we spent and continue to spend time and resources on researching financially motivated cyber criminals who might be the culprit. We are effectively researching avenues that would be counter to what we said publicly as our confidence level in our assertion was low.

If you just publish facts, you are more a journalist or police officer, not a cyber threat intelligence analyst

Former CIA Director John Brennan summed up the intelligence game versus evidence gathering well during a recent hearing:

A US Congressman asked if Brennan (former CIA Director) had “evidence” of collusion between Trump and Russia.
“I don’t do evidence,” Brennan replied.

If you sat on the fence of the WannaCry attribution debate and said there wasn’t enough information for you to form an opinion on who the likely culprit was, have a close look at whether in the past you have been simply reporting facts like a reporter or police officer doing an investigation. A true intelligence analyst must have the ability to deal with information gaps and uncertainty as well as effectively fight their biases. It’s a reality of the space we live in.

Sources: