惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Cyber Threat Intelligence: Comparing the incident-centric and actor-centric approaches
2016-05-19 · via Intel 471 Blog

By Mark Arena, CEO of Intel 471.

When it comes to cyber threat intelligence, the security industry mostly appears to take the view that indicators of compromise (IOCs) are the best approach to initiate/drive the intelligence process. If we take a step back and look at traditional intelligence concepts, we will find the following definition of intelligence:

“Simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions — specifically, decisions about potential threats to our national security.”

Consumers of indicators of compromise within an enterprise are typically on the ground network defenders yet the definition above shows intelligence defined as being useful to policymakers or executives. Based on this definition, we will make the case that an actor-centric approach to cyber threat intelligence enables predictive analysis and hence is useful to executives within your organization. I’ll preface this blog post by saying that while Intel 471 provides actor-centric cyber threat intelligence collection and information, we are not favoring one approach over the other. Additionally, we are not implying these are the only approaches to building a threat intelligence program. Rather, we believe that any threat intelligence program should include both an incident-centric and actor-centric approach.

Brian Krebs recently wrote an article that illustrated the fact there is real value in adversary or actor-centric intelligence collection when assessing cyber threats and the risk posed by them. The article also highlighted there are efficiency gains to be had through understanding threat actor and groups. Brian sums it up nicely with the following quote from ThreatConnect:

“Now if we consider for a moment the man hours and ad hoc reprioritization for many security teams globally who were queried or tasked to determine if their organization was at risk to Rombertik — had the organizations also had adversary intelligence of Ogundokun’s rudimentary technical and operational sophistication, they would have seen a clearer comparison of the functional capabilities of the Rombertik/Carbon Grabber contrasted against the operator’s (Ogundokun) intent, and could have more effectively determined the level of risk.”

An incident-centric approach

b997e 0tzymyito6uhl x1p 300x53

The incident-centric (or IOC-centric) approach typically begins with the detection of an event such as reconnaissance, or compromise. Really we’re operating in an incident-centric approach anytime the intelligence process is initiated and/or driven from IOCs (Indicators of Compromise). For example, a response effort might identify the following that kicks off the intelligence process:

  • Files (filenames, hashes, etc) that are dropped onto the system;
  • Registry keys added/changed;
  • Command and control (C2) server information (domains, URI paths, IP addresses, etc).

Using these IOCs we want to build out an understanding of the tactics, techniques and procedures (TTPs) and the higher-level campaign associated with this event. We are effectively trying to understand:

  • How did the malicious files end up on the compromised computer?
An exploit kit from an innocent user browsing websites?
A targeted spear-phish that was sent to the compromised user?
What exploits/exploit method was used to compromise the system?
  • What malware family was dropped on to the compromised system and what was its functionality?
  • What would the malware and associated access have allowed the threat actor to do on the system or network?

Pros of the incident-centric approach:

  • Direct relevance is established, as the intelligence effort dovetails from an incident response that has already impacted your organization;
  • Potentially allows identification of the threat actors and groups that are targeting your organization;
  • Provides IOCs that can be used to aid in the identification of compromise from the same threat actor, campaign and incidents across an organization.

Cons of the incident-centric approach:

  • Reactive approach initiated after your organization has already been impacted to some degree;
  • Focuses primarily on the attack surface and doesn’t reflect the process that the threat actor needs to go through to impact your organization. For example it doesn’t cover a threat actor seeking:
Exploits to purchase;
Malware to purchase;
Hosting.
  • Difficult to be predictive.

An actor-centric approach

4b33b 02byqidcwyohhci m 300x53

There is continuous debate in the information security community about the usefulness of attribution of threat actors and groups, but we believe that attribution to various levels (person, group, nation-state, etc.) provides valuable insights that support decision-making at all levels.

The actor-centric approach starts with threat actors or groups, which is the reverse of the incident-centric approach. It should be noted that by solely focusing on threat actors that have mentioned your organization, you will lose the ability to be proactive. Brand monitoring can serve a valuable purpose, but we do not believe that it’s effective approach in isolation to collect proactively against threat actors. There are a number of threat actors that are attempting to impact your organization, but you may not observe them mentioning your organization by name. Therefore we believe it is best to focus on all actors, to include enabling actors, that might impact your sector/vertical.

Starting with the threat actors themselves, we want to understand:

  • Who are they?
  • What are their associations with enabling actors and partners?
  • What are their motivations?
  • What are their technical skills and abilities?
  • What are their TTPs?

Once we understand this actor-centric information, we want to fuse this information through analysis and correlation with other intelligence information. Ideally we could then tie their TTPs and campaigns to specific IOCs as well.

Pros of the actor-centric approach:

  • Enables your organization to be proactive and predictive;
  • Provides context around an actor’s motivations and their abilities before an incident occurs;
  • Focused on adversary’s business process rather than just the elements that (could) impact an organization’s attack surface.

Cons of the actor-centric approach:

  • Relevance to your organization might not be readily apparent;
  • It is challenging to gain and maintain accesses where threat actors and groups operate;
  • Requires analytical effort to fuse with your other sources of information;
  • Requires regularly updated prioritization of threat actors to focus on;
  • May be missing IOCs to look for within your organization.

Conclusion

The incident-centric approach is a required aspect of any mature threat intelligence program. On its own, it’s effectively the equivalent of the United States government monitoring Russia’s missile program solely by watching Russian soldiers firing missiles at and inside Ukraine, which they almost certainly are. In that example, you can be sure that the US government monitors Russian defense contractors, enablers and developers of Russian’s missile program at the direct person and organizational level.

With regards to the actor-centric approach, one could argue whether it is actionable or not. On its own and in isolation it probably isn’t, but when fused, stored and correlated with your own organization’s data/information and other sources of information it can be both predictive and actionable. Feeds of IOCs are frequently incorrectly referred to as actionable cyber threat intelligence within the security industry when this is simply raw data and another source of information.

If your organization simply takes external feeds of IOCs and automatically blocks them, you do not have an intelligence program. If you analyze (with a person) multiple sources of information in order to produce an output that is timely, relevant to your organization, and based on predetermined requirements, then you have an intelligence program.