惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
H
Heimdal Security Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
The Last Watchdog
The Last Watchdog
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
D
DataBreaches.Net
I
Intezer
Webroot Blog
Webroot Blog
C
Cisco Blogs
AWS News Blog
AWS News Blog
博客园 - 聂微东
T
The Blog of Author Tim Ferriss
V
Vulnerabilities – Threatpost
罗磊的独立博客
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 叶小钗
PCI Perspectives
PCI Perspectives
D
Docker
Scott Helme
Scott Helme
NISL@THU
NISL@THU
J
Java Code Geeks
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
AI
AI
美团技术团队
Cloudbric
Cloudbric
月光博客
月光博客
P
Proofpoint News Feed
T
Tailwind CSS Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Network Content and You: Why Logs Matter in the Age of TLS\SSL
2020-04-21 · via Intel 471 Blog

As more and more enterprise network activity is encrypted through TLS/SSL, many security pundits and marketers have devalued the security benefits of capturing encrypted and unencrypted network log data. However, we shouldn’t be so quick to dismiss network logs. Even in environments with heavy dependence on encrypted traffic, this log data can prove invaluable for real-time security analysis, forensics, and threat hunting activity.

[hubspot type=cta portal=7924572 id=d13ae3c6-78f8-41f8-b5a8-1975460104dd]

There are a couple of big reasons why network content matters for security teams and why it will remain relevant for a long time in the future.

COMMODITY ACTIVITY STILL OPERATES IN THE CLEAR

Yes, it is true that cybercriminals today will do their best to take advantage of encrypted channels to hide their tracks. However, the reality is attacks are still not carried out in complete encryption, leaving traces and artifacts analysts can use for detection and tracking. Although all of our legitimate services and privacy-focused services in the enterprise are moving to SSL, we’re a long way away before all of our network traffic is singularly encrypted. And looking into attack patterns it is also clear that for the most part the attackers are not monolithic about it, either. There still remains a great deal of commodity criminal activity that happens in the clear. Often that is due to necessity, because the bad guys can’t set up proper encryption and certificates on every single one of their delivery or command-and-control (C2) nodes in their infrastructure. Other times it’s due to circumstance, where they’re utilizing a compromised device and lack privileges or ability to deploy encryption. As such, they have to pick and choose their spots. On a practical level, this means that many criminals today are not utilizing encrypted mechanisms to carry out their initial infections. At least some part of the cyber kill chain is left unencrypted. Even if a company has no capabilities of inspecting encrypted traffic, if they inspect all of their other network traffic they’re likely to spot evidence of several attacks leaving breadcrumbs in the first stages of the attack.

EVEN SOPHISTICATED ACTORS DROP CLUES IN UNENCRYPTED TRAFFIC

If you want to talk about more sophisticated attackers, obviously they’re going to attempt to encrypt all of their activities in some way or another. Which is why when it comes to security analysis host activity will obviously be the gold standard for collection. However, for those companies that can’t afford it yet or don’t have the maturity to examine it in depth, hope is not lost. Everyone has firewall logs, and most have proxy or application-level firewall logs, so even if activity is encrypted through SSL, it’s still leaving behind some level of metadata. There’s still information about the certificate that was exchanged and you can potentially get a domain from that. There’s also still information on how much data was transferred. If you find evidence of one-sided connections where the host is sending large amounts of data but not receiving much back or vice versa, that could be a red flag.

MORE DATA IS ALWAYS BETTER WHEN HUNTING THREATS

Whenever a security analyst is tracking an infection, the more metadata they can get their hands on the better their investigation will go. In the past, we’ve seen unfortunate incidents where companies fall into the encryption stigma, saying “Everything’s going to SSL, so what good are proxy logs, without SSL interception” leading to dropping the logging or decommissioning the technology altogether. But that only hurts firms in the long run. Proxy data, IDS data, and other network connection data (such as Zeek)—even if it isn’t shipped to a SIEM—can prove vital during response for an incident or to feed threat hunts from time to time. Many times threat intelligence and open source intelligence reports will reveal a specific SSL certificate or pieces of network metadata associated with a threat actor making it is trivial to search your data for that information to look for that activity. It’s for all of these reasons that we do our best as analysts and security evangelists to fight the stigma against network content. It still matters and can prove invaluable to security professionals in the trenches. Ready to read more? Find out

Why Artificial Intelligence Can’t Save Your SOC

.

[hubspot type=cta portal=7924572 id=32a55e1d-cfee-45cb-955a-df76250797fb]