Threat Inteliigence / OSINT / NETSEC / NATSEC

YARA rules! - about YARA rules and writing them.

In the post about finding information about malware samples in open sources, I briefly mentioned the use of YARA rules and described the basics of using them in the context of HybridAnalysis. However, this tool is important and universal in the work of a CTI analyst, incident responder or threat hunter, that it is definitely worth devoting a separate [...]

When the DoJ publishes your photo - about indictments and cyber operations

Observing the practice of the US administration in the field of political tools applied to entities responsible for cyber operations against the States, indictments are one of the most visible elements. In recent years, we have seen, for example, indictments against a GRU officer, Chinese intelligence, or more recently FSB officials. On the surface, it may seem that such actions do not [...]

Hunting - putting CTI to work

On counterintelligence.pl I have already devoted a lot of space to OSINT and threat intelligence. We must not forget, however, that the interview in its various forms is primarily a supporting function. It supports decision-making, incident response and detection of malicious activity. And threat hunting is an activity that one way or another must in its [...]

Hunting for implants - OSINT malware analysis

I started to write a post about malware analysis in the context of OSINT and threat intelligence for a long time. It is one of the most widely used sources of information and a common goal of analyst research, but at the same time a technically complex issue. If we are talking about advanced static analysis (of the file itself) and dynamic (observing the behavior of the file after running), it is [...]

A look at cyber operations during the first days of the conflict in Ukraine

In the previous post, I tried to present what types of cyber operations accompany military actions and how different types of operations are supposed to achieve their goals by different means. Some may have expected much more intense cyber activities in Ukraine, attacks on industrial networks or the massive use of wipers. Although there are no signals indicating [...]

A brief look at cyber operations in the context of hostilities

Recent related events clearly show the intentions of the Kremlin, which decided to invade Ukraine, potentially threatening the entire territory of the state. In the context of military operations, there is often talk of the role of cyber operations as supporting or even replacing kinetic operations. Especially the latter use awakens the imagination - the media and commentators point out [...]

In the wilderness of mirrors - attribution in the context of threat intelligence

One of the most polarizing and imaginative issues in the practice of analyzing hostile activity is attribution, i.e. an attempt to define specific entities, organizations or persons responsible for the operation. The interest in "who did it" should come as no surprise - the process of analyzing cyber activity often takes the exact opposite of investigating "ordinary" crimes. […]

By observing Internet houses - we analyze domains and their infrastructure

One of the most common tasks related to OSINT and threat intelligence is the analysis of Internet domains in terms of infrastructure behind them and information about entities responsible for their creation. Domains are an important element of cyber operations, when they can be used for C2 communication, malware delivery and information operations, providing [...]

Collecting diamond chains - threat intelligence analysis tools

After traveling around the globe, we move on to the vast world of operations in cyberspace - specifically how they are analyzed and how it helps in defense. One of the inspirations for the name of this blog - counterintelligence.pl - was that the activity known as Cyber Threat Intelligence (CTI) is, in my opinion, the activity of [...]

CyberPolice - REvil 1: 0 - on the risks of being a ransomware operator

Washington Post journalists published yesterday an article about the end of activities by the REvil group as a result of an action carried out by the American Cyber Command - the command of cyber forces. Curbing the actions of REvil is certainly good news for everyone - criminals are responsible, for example, for ransomware attacks on Kaseye or JBS and poisoned the lives of many [...]

en_USEnglish