Finding Initial Access

I recently ran across a comment from a SOC manager on social media that said, “Finding initial access is difficult.” I thought about it for a moment, and had to ask, “why is that?” For context, I transitioned from military…

Rigor in Threat Intel

I’m just going to say it. IOCs are not “threat intel”.  Lists of IP addresses and domain names, without context, are data points and information, not “intel”. Threat intel is based on patterns developed from the accumulation/aggregation of data. In…

LNK Files in CTI

There’s a good bit of file analysis that goes into CTI reports, including (but not limited to) malware analysis. But for some reason, not all files appear to be worthy of parsing and analysis. We also tend to see in-depth…