惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

人人都是产品经理
人人都是产品经理
MyScale Blog
MyScale Blog
Y
Y Combinator Blog
罗磊的独立博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
Recorded Future
Recorded Future
N
News and Events Feed by Topic
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
博客园 - 叶小钗
B
Blog
Vercel News
Vercel News
T
Tenable Blog
T
The Exploit Database - CXSecurity.com
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Last Week in AI
Last Week in AI
F
Fortinet All Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
S
Securelist
Microsoft Azure Blog
Microsoft Azure Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
D
DataBreaches.Net
Cyberwarzone
Cyberwarzone
Engineering at Meta
Engineering at Meta
Martin Fowler
Martin Fowler
G
GRAHAM CLULEY
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
CERT Recently Published Vulnerability Notes
L
LangChain Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Check Point Blog
A
About on SuperTechFans
W
WeLiveSecurity
The GitHub Blog
The GitHub Blog

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
The Trouble With Threat Intelligence Today
Intel 471 · 2020-06-04 · via Intel 471 Blog

Up-to-date intelligence about the current state of the cyber threat landscape can provide valuable clues for responding to incidents within enterprise environments. However, not all threat intelligence is created equally.

As a longtime security researcher and analyst, I feel that the term ‘threat intelligence’ still stands at buzzword status for most vendors and practitioners. And, unfortunately, not a lot of people actually know what true threat intelligence should look like. Some people believe that threat intelligence is just a threat feed, others see it as lofty reports with tons of great information that are great from a research perspective but tend to be tough to take action on in an enterprise environment.

You’ve got to keep in mind that there are three major stages of analysis in building threat intelligence. There’s data, there’s information, and then there’s intelligence. As raw data passes through an analytical lens—typically automated—it becomes information. Then it passes through another finer lens that usually takes heavy lifting from an experienced human analyst. That is when it eventually becomes intelligence. That final stage of becoming intelligence should require the information to be organized in a way that is immediately actionable—or sometimes even in actionable.

To simplify it, let’s use a metaphor. Let’s say you have information that tells you a train is coming. You’re standing by the tracks and you have two options. You can either run across the tracks or you can stay away from them. In order for that information to be really useful intelligence, you need the added context of when the train is coming. If it is coming in 12 minutes then you know you have enough time to cross the tracks. But if it is coming in 12 seconds, then maybe the best course of action is to do nothing.

It’s cues like this that elevate information into intelligence. As such, I believe that the best threat intelligence contains contextual information that provide insight into three important dimensions: timeliness, actionability, and reliability.

THREE DIMENSIONS OF INTELLIGENCE

On timeliness, threat intelligence generally has a variable window of relevance, so if it’s in reference to activity that’s months old, the value may be low compared to activity that has happened within the last few days. Meanwhile, on the actionability front, the intelligence needs to be as closely applicable to your environments, your industry, and your situation as possible. If it includes information relating to the oil sector with little vertical crossover and you’re in retail, that’s not intelligence you can act upon. And finally, there’s reliability. If the contained information starts lighting up security controls like a Christmas tree with false positive alerts, that’s going to cause you to question all of the intelligence within that feed.

THE PUZZLE DOESN’T WORK WITHOUT ALL THE PIECES

The problem with a lot of threat intel feeds today is that they rarely hit all of the dimensions I mention. They may provide one or two pieces of information alongside whatever indicator of compromise that’s presented. For example, a feed might include the malware family—and that’s not even a guarantee. A lot of threat feeds are simply listings with no context surrounding IPs, domains, URLs, hashes, registry keys and the like; however, these indicators are often rarely vetted—especially in free threat feeds. For example, in one case I witnessed a threat feed that shared indicators collected through detonating malware in a sandbox and collecting the raw indicators with little or no human intervention. This resulted in hundreds or thousands of legitimate domains being assessed as malicious, and the wasting of analysts’ time and efforts to determine if a compromise had occurred.

THREAT INTELLIGENCE: MORE THAN JUST A BUZZWORD

The security industry needs to demand more and better contextualization from threat intelligence. Intelligence should offer defenders contextualized information and additional steps for investigation or triage. And they need to be vetted.

This is exactly the kind of work we’re focused on here at Cyborg and in coming blog installments I’ll explain how we do our research to provide high quality intelligence and context for SOC analysts and threat hunters out there fighting the good fight.

Want more insight on what it takes for threat hunting to work well? Read our blog, Threat Hunting and You: Why Content Is Critical to Threat Hunting