Threat Inteliigence / OSINT / NETSEC / NATSEC

OSINT uphill - open sources of information and the spectrum of their availability

I recently had the opportunity to participate in the FIRST CTI Conference in Berlin, where I talked about how OSINT is not always as open as it might seem. Since the presentation included the methods and sources of specific analysts, I preferred to stay with TLP Green. In this post, however, I would like to present the main theses and problems that […]

Squeezing out IoC juice - methodical analysis of network infrastructure.

One of the most common problems faced by CTI analysts is the use of collected data to discover further elements of hostile activity, i.e. the so-called "pivoting". Simply put, pivoting consists in discovering other artifacts such as IP addresses or malware samples through the common points of contact of both elements. In the case of malware, this can […]

RonanVM update

Shortly after setting up counterintelligence.pl, I also started the RonanVM project, i.e. a virtual machine image adapted to conduct OSINT investigations. Unfortunately, I don't have that much time to develop the project at the pace of Kali Linux, but I had the opportunity to make some changes and improvements recently. Moving on to the specifics: I also encourage you to use, in my opinion, the project […]

Attackers in the bottleneck - lateral movements and threat hunting

Threat hunting is not an easy task. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of intrusion during which attackers have less room to manoeuvre. And just the perfect attack phase for this […]

Scale and cycle - the role of threat intelligence in the organization

The recent history of breaking into Uber or reappearing reports on Emotet's activity may raise questions about the legitimacy of individual functions in the overall security organization of the organization. After all, why advanced forensics teams to produce threat intelligence or threat hunting when the problem is underlying? This very much […]

Kent and Heuer - The roots of CTI in a traditional interview

The holiday season is good for catching up on books, so let's take a look at the subject at counterintelligence.pl, so let's call it a book-historical topic. It will be no secret that CTI is quite a fledgling field. Even if we look at the distance that separates information protection as such from information protection in the context of computer networks, threat intelligence will be an even younger discipline. […]

MSS - Ministry of State Security and its cyber activities

In the previous post, we dealt with the intelligence activity of the People's Liberation Army and how the reforms of the armed forces are aimed at improving their functioning in this field. This time we will focus on an agency dealing with typically intelligence tasks - the Ministry of State Security (国家 安全 部, MSS). To begin with a brief historical outline, the modern organization of the MSS is [...]

PLA on the cyber front - Chinese armed forces and cyber operations

One of the biggest challenges of threat intelligence is determining the intent of attackers. It is not always possible, but if we have to face such a challenge, it is helpful to understand the context of attackers' activities and the organization in which they operate. So in the next posts we will look at one of the main players on the cyber scene - [...]

Keyboard strike - cyber anti-terrorist operations

In the previous post, we looked at how terrorist groups use social media to support their activities, and this time we will look at how the intelligence and military services can use the Internet to carry out anti-terrorist activities. As I indicated previously, terrorism is prosecuted and fought with all the power of the state apparatus, including in [...]

Sigma (grindset?) Rules - find suspicious events with Sigma

In the previous post, we looked at the creation and functionality of YARA rules, which are an invaluable aid to analysts in detecting and classifying files. Some might say, however, that today is not enough. After all, living off the land attacks are becoming more and more popular, where attackers do not use additional software, but are satisfied with [...]

en_USEnglish