Command and Control (C2) Frameworks: Cobalt Strike and Beyond
A Command and Control (C2) framework is the centralized software used by threat actors to communicate with compromised systems (implants/beacons) within a victim's network. Modern ...
Cyber Threat Intelligence Glossary
CTI Knowledge Base
Your comprehensive reference for cyber threat intelligence terminology. Explore definitions of malware families, APT groups, attack techniques, and security concepts.
CTI Reporting: Writing for Impact
Intelligence is useless if it is not communicated effectively. CTI Reporting is the skill of translating complex technical data (IOCs, malware code) into clear, actionable insights...
Cyber Attribution: The Process of Identifying the Adversary
Cyber attribution is the analytical process of identifying the individual, group, or nation-state responsible for a specific cyber intrusion or campaign. Unlike identifying technic...
Dark Web Intelligence: OPSEC and Monitoring Guide
How to safely monitor the Dark Web for CTI. A guide to OPSEC, creating
Deception Technology: Honeypots and Canary Tokens
Deception Technology involves deploying decoys (traps) within a network to trick adversaries into revealing their presence. These decoys—known as Honeypots—mimic legitimate assets ...
Domain Generation Algorithms (DGA): Hiding in Noise
A Domain Generation Algorithm (DGA) is a technique used by malware to periodically generate a large number of domain names that can serve as Command and Control (C2) rendezvous poi...
ICS/OT Threat Intelligence: Protecting the Industrial Edge
CTI for Industrial Control Systems (ICS) and OT. Understand the Purdue Model, specialized protocols (Modbus, DNP3), and threats targeting critical infrastructure.
Infrastructure Tracking: Fingerprinting with JA3 and JARM
Move beyond IP addresses. Learn how to track threat actors using SSL/TLS fingerprinting techniques like JA3, JA3S, and JARM to identify C2 servers.
Threats
2
Initial Access Brokers (IAB): The Middlemen of Cybercrime
Initial Access Brokers (IABs) are specialized cybercriminals who breach corporate networks but do not monetize the intrusion themselves. Instead, they sell the "access" (e.g., vali...
General
20
IOCs vs. TTPs: The Pyramid of Pain Explained
A mature CTI program moves beyond blocking IPs (Tactical) and focuses on hunting TTPs (Operational).
Living off the Land (LotL): The Art of Fileless Malware
Living off the Land (LotL) is a stealth technique where cyber adversaries use legitimate, pre-installed system tools to conduct malicious activities. Instead of introducing custom ...
Malware Config Extraction: Static Analysis Basics
Don't just run malware; dissect it. Learn the basics of static analysis to extract C2 configurations and encryption keys from malware binaries.
General
7
Open Source Intelligence (OSINT): Tools and Techniques
Open Source Intelligence (OSINT) is the practice of collecting data from publicly available sources to be analyzed and used for intelligence purposes. In the context of Cyber Threa...
Passive DNS (PDNS): The Time Machine for Domains
Passive DNS (PDNS) is a database of historical DNS resolution data. While standard DNS tells you "Where does this domain point now?", Passive DNS tells you "Where did this domain p...
General
23
Phishing Analysis Fundamentals
How to analyze a phishing email. Learn to inspect email headers, analyze malicious attachments, and safely handle suspicious URLs.
Threats
7
Ransomware-as-a-Service (RaaS): The Industrialization of Cybercrime
Ransomware-as-a-Service (RaaS) is a business model where ransomware developers (Operators) sell or lease their ransomware variants to other cybercriminals (Affiliates). The Affilia...
General
18
STIX and TAXII Explained: The Language of CTI
In the early days of CTI, analysts shared Indicators of Compromise (IOCs) via PDFs and spreadsheets. This manual process is too slow for modern defense. By the time an analyst manu...
Supply Chain Attacks: Compromising the Trust
A Supply Chain Attack occurs when an adversary infiltrates a system through an outside partner or provider with access to the systems and data. This dramatically alters the risk pr...
General
21
The Cyber Kill Chain: Understanding the 7 Steps
Developed by Lockheed Martin, the Cyber Kill Chain was one of the first frameworks to define the stages of a cyber intrusion. It is based on military concepts and remains a vital m...
General
8
The Diamond Model of Intrusion Analysis
While the Cyber Kill Chain focuses on the stages of an attack, and MITRE ATT&CK focuses on the behaviors, the Diamond Model focuses on the relationships.