Threat Inteliigence / OSINT / NETSEC / NATSEC

OSINT in perspective - US IC OSINT strategy 2024-2026

The US Intelligence Community (IC) is formalizing its approach to the use of open sources, as evidenced by the recently presented OSINT strategy for 2024-2026. The document outlines a clear vision for the future of the discipline, setting the stage for significant advances in how open source data is used for intelligence purposes. In this blog post, we will summarize key strategy concepts, […]

OSINT uphill - open sources of information and the spectrum of their availability

I recently had the opportunity to participate in the FIRST CTI Conference in Berlin, where I talked about how OSINT is not always as open as it might seem. Since the presentation included the methods and sources of specific analysts, I preferred to stay with TLP Green. In this post, however, I would like to present the main theses and problems that […]

Nuclear safeguards – PAL and protection of nuclear warheads

In the previous post, in which I described my trip to the NSA National Cryptology Museum, I mentioned that the topic of how nuclear warheads are secured is extremely interesting to me, so this time we will take a look at this area of security. It is difficult for me to imagine a situation or environment in which system imperfections (both causing false [...]

Visiting the National Museum of Cryptology at the NSA

Full photo gallery available here :) Even though my visit to the USA was purely a holiday, I couldn't miss the opportunity to visit the NSA. Unfortunately, it is not possible to visit the agency itself, but it is the only one of the organizations that make up the United States Intelligence Community that has its part open […]

Squeezing out IoC juice - methodical analysis of network infrastructure.

One of the most common problems faced by CTI analysts is the use of collected data to discover further elements of hostile activity, i.e. the so-called "pivoting". Simply put, pivoting consists in discovering other artifacts such as IP addresses or malware samples through the common points of contact of both elements. In the case of malware, this can […]

RonanVM update

Shortly after setting up, I also started the RonanVM project, i.e. a virtual machine image adapted to conduct OSINT investigations. Unfortunately, I don't have that much time to develop the project at the pace of Kali Linux, but I had the opportunity to make some changes and improvements recently. Moving on to the specifics: I also encourage you to use, in my opinion, the project […]

Attackers in the bottleneck - lateral movements and threat hunting

Threat hunting is not an easy task. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of intrusion during which attackers have less room to manoeuvre. And just the perfect attack phase for this […]

Register(ing) activity related to documents

The last two posts concerned hiding traces of malicious activity in the environment and attempts to confuse analysts. This time we will focus on traces that allow us to determine what the user or the attacker was doing. Forensic analysis can have two main purposes. In cases most often associated with threat intelligence, we will try to detect the activities of attackers leading […]

Anti-forensics techniques - registry timestomping

In the previous post, we dealt with one of the most popular anti-forensic techniques – timestomping. So we changed the timestamps of the files to confuse the analysts and make the files appear unrelated to malicious activity. This time we will try to transfer timestomping to another source of evidence - the Windows registry. The registry is definitely one of the […]

Anti-forensic - introduction and timestomping

As I mentioned in the blog, threat intelligence is essentially threat counterintelligence - the process of stopping hostile infiltration of the environment. This time we will deal with a strictly technical issue related to how attackers can try to (anti-forensic) hide traces of their activities and how to detect such activities. The starting point for our considerations [...]