惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Cyber Threat Intelligence: Observing the adversary
Intel 471 · 2016-05-18 · via Intel 471 Blog

By Mark Arena, CEO of Intel 471.

Following my previous blog post that compared the incident-centric and actor-centric approaches to cyber threat intelligence, this post will detail a number of ways we can potentially observe our adversary. I’ll preface this post by saying that prioritizing and identifying who the adversary is, their motivations, their intentions and goals will drive where you seek to observe them. This could be different depending on the vertical in which your organization sits.

The #1 place to observe your adversary is your own attack surface

The top and hopefully most well known place to observe your adversary is your attack surface. If you’re a financial institution or managed security service provider (MSSP), we could include things touching your customer’s attack surface as being another top place to observe your adversary. Analysis of logs sourced from your security devices is a great way to identify the type of cyber threat activity that is impacting you directly. Although Intel 471 is an intelligence vendor, we still believe that an organization’s #1 source of relevant threat data is their own attack surface. One of the first steps into developing a threat intelligence program should be the identification, consumption, and analysis of all relevant internal sources of information to include attack surface data.

b42cf 0ubo5ofv6lf3gnlsu 300x52

Referencing the incident-centric approach detailed in our previous blog post, our goal is to build off our incident information to identify the TTPs (Tactics, Techniques and Procedures) and associated campaigns then ultimately the actor piece to include the who, motivations, goals and intent.

In most cases the attack surface provides technical information such as:

  • Files (filenames, hashes, etc) that are dropped onto a system that is compromised;
  • Registry keys added/changed;
  • Command and control (C2) server information (domains, URI paths, IP addresses, domain registration email address, etc).

In addition to identifying potential incidents, analysis of technical data can lead to the identification of TTPs and campaigns:

  • How was the malware dropped onto the system, i.e.:
Was it a targeted spear-phish sent to a specific target?
Was it the result of a user visiting a compromised website that was tied to a specific exploit pack thus not targeted in nature?
What exploit/exploit method was used?
  • What malware was dropped on the compromised system?
  • What functionality did the malware provide?
  • What other tools were dropped on to the compromised system?
  • What did the malware and tools enable the threat actor to access on the compromised system or the wider network?
  • Where there other internal or external victims of the same or similar attacks?

When answering the question of who the actor is, the usefulness of attribution to a specific person often depends on the motivation of the threat actor. For example, knowing the personal identity of a threat actor involved with state sponsored cyber espionage is only truly useful to a very small number of organizations.

However, when it comes to cybercrime and hacktivism knowing the actual person behind the keyboard provides additional options for a victim organization, such as submitting a complaint to law enforcement. There is continuous debate in the information security community about the usefulness of attribution of threat actors and groups, but we believe that attribution to various levels (person, group, nation-state, etc.) provides valuable insights that support decision-making at all levels.

The most value of actor-centric information lies with identifying motivations, goals and intent. This enables analysts to produce predictive intelligence that can drive proactive decision making and action at numerous levels of an organization.

Collaboration with similar organizations and your competitors

Collaboration with similar organizations, even your competitors, is another great way to observe your adversary. We’ve previously written why organizations shouldn’t have tunnel vision by focussing on threats that only mention or impact your organization directly. It’s a given that the same threat actors impacting your competitors or other organizations in the same vertical or sector as you are or will eventually turn their focus to you. The panacea of a threat intelligence program is to be proactive, predictive and ahead of the adversary. Examining this activity will often allow you to proactively block or detect this activity through policy or security control changes among other things however, don’t forget to share back as it’s a two-street. If you don’t, you’ll quickly become the organization that nobody wants to share with. It’s in the business interests of all parties, competitor or not, to establish some type of sharing and collaboration. An Information Sharing and Analysis Center or (ISAC) may also be available for your specific sector which may share information on threat actors impacting or seeking to impact your sector.

The government

Traditionally governments have not been good at sharing and collaborating with the private sector, but with the massive impact of cyber threats impacting the private sector and the private sector effectively running the internet, they’ve been forced to both share and collaborate. They still might not be the fastest to share nor the best at doing it efficiently, but there are certainly elements within various government departments that are fighting the good fight to be able to share threat data with the private sector in a timely and efficient manner. This can be a very valuable resource for your threat intelligence program.

Technical collection

Technical collection can be described in general as legal infrastructure and toolset monitoring. Infrastructure monitoring can involve targeting threat actor’s re-use of things such as:

  • IP addresses for command and control (C2) servers
  • Malicious host names
  • URIs (paths for command and control servers)
  • Email addresses to register domains

Toolset monitoring can involve things like:

  • Creation of YARA signatures to upload to VirusTotal to be alerted on new samples submitted there
  • Google Alerts on specific malware string names

Places where threat actors plan and collaborate

A final place to observe the adversary is where they communicate, plan, and collaborate. I personally dislike the term deep/dark web but rather like to segment these sources into two types:

  • Open sources: places where you can observe or gain access simply by searching Google (or other search engines) with no barrier to entry. Other examples are social networks such as Facebook and Twitter.
  • Closed sources: places where some barrier of entry exists. At the lower level this might be a forum requiring registration for access. At the upper level it might be a vetted or invite only cyber crime forums and marketplaces.

Advantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:

  • Identification of actors and attacks early in the planning stages of an attack against your organization before it appears on your attack surface
  • Enables a greater understanding of the business process, enablers and pain points behind cyber threat activity and threat actors.
  • Supports the production of predictive intelligence that enables proactive decision making at various levels (NOC/SOC, fraud, executive, risk management, etc)

Disadvantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:

  • Sometimes difficult to extrapolate from information that does not directly mention or impact your organization
  • Often information is non-technical in nature making it difficult to equate that to specific observables you can look for on your attack surface
  • Risk of additional attacks or focus if your organization is exposed as being active where threat actors interact.