Business Email Compromise (BEC): The Billion Dollar Scam
Business Email Compromise (BEC) is a type of cybercrime where an attacker compromises legitimate business email accounts or uses spoofing to conduct unauthorized transfers of funds...
Cyber Threat Intelligence Glossary
CTI Knowledge Base
Your comprehensive reference for cyber threat intelligence terminology. Explore definitions of malware families, APT groups, attack techniques, and security concepts.
Command and Control (C2) Frameworks: Cobalt Strike and Beyond
A Command and Control (C2) framework is the centralized software used by threat actors to communicate with compromised systems (implants/beacons) within a victim's network. Modern ...
CTI Reporting: Writing for Impact
Intelligence is useless if it is not communicated effectively. CTI Reporting is the skill of translating complex technical data (IOCs, malware code) into clear, actionable insights...
Cyber Attribution: The Process of Identifying the Adversary
Cyber attribution is the analytical process of identifying the individual, group, or nation-state responsible for a specific cyber intrusion or campaign. Unlike identifying technic...
Dark Web Intelligence: OPSEC and Monitoring Guide
How to safely monitor the Dark Web for CTI. A guide to OPSEC, creating
Deception Technology: Honeypots and Canary Tokens
Deception Technology involves deploying decoys (traps) within a network to trick adversaries into revealing their presence. These decoys—known as Honeypots—mimic legitimate assets ...
Domain Generation Algorithms (DGA): Hiding in Noise
A Domain Generation Algorithm (DGA) is a technique used by malware to periodically generate a large number of domain names that can serve as Command and Control (C2) rendezvous poi...
Geopolitical Cyber Intelligence: State-Sponsored Threats
Geopolitical Cyber Intelligence analyzes how nation-states use cyber capabilities to achieve political, military, or economic objectives. This is the realm of Advanced Persistent T...
ICS/OT Threat Intelligence: Protecting the Industrial Edge
CTI for Industrial Control Systems (ICS) and OT. Understand the Purdue Model, specialized protocols (Modbus, DNP3), and threats targeting critical infrastructure.
Infrastructure Tracking: Fingerprinting with JA3 and JARM
Move beyond IP addresses. Learn how to track threat actors using SSL/TLS fingerprinting techniques like JA3, JA3S, and JARM to identify C2 servers.
Threats
27
Initial Access Brokers (IAB): The Middlemen of Cybercrime
Initial Access Brokers (IABs) are specialized cybercriminals who breach corporate networks but do not monetize the intrusion themselves. Instead, they sell the "access" (e.g., vali...
General
71
IOCs vs. TTPs: The Pyramid of Pain Explained
A mature CTI program moves beyond blocking IPs (Tactical) and focuses on hunting TTPs (Operational).
Living off the Land (LotL): The Art of Fileless Malware
Living off the Land (LotL) is a stealth technique where cyber adversaries use legitimate, pre-installed system tools to conduct malicious activities. Instead of introducing custom ...
Malware Config Extraction: Static Analysis Basics
Don't just run malware; dissect it. Learn the basics of static analysis to extract C2 configurations and encryption keys from malware binaries.
General
40
Open Source Intelligence (OSINT): Tools and Techniques
Open Source Intelligence (OSINT) is the practice of collecting data from publicly available sources to be analyzed and used for intelligence purposes. In the context of Cyber Threa...
Passive DNS (PDNS): The Time Machine for Domains
Passive DNS (PDNS) is a database of historical DNS resolution data. While standard DNS tells you "Where does this domain point now?", Passive DNS tells you "Where did this domain p...
General
61
Phishing Analysis Fundamentals
How to analyze a phishing email. Learn to inspect email headers, analyze malicious attachments, and safely handle suspicious URLs.
Threats
30
Ransomware-as-a-Service (RaaS): The Industrialization of Cybercrime
Ransomware-as-a-Service (RaaS) is a business model where ransomware developers (Operators) sell or lease their ransomware variants to other cybercriminals (Affiliates). The Affilia...
General
70
STIX and TAXII Explained: The Language of CTI
In the early days of CTI, analysts shared Indicators of Compromise (IOCs) via PDFs and spreadsheets. This manual process is too slow for modern defense. By the time an analyst manu...
Supply Chain Attacks: Compromising the Trust
A Supply Chain Attack occurs when an adversary infiltrates a system through an outside partner or provider with access to the systems and data. This dramatically alters the risk pr...