Some of you may or may not know my weekly newsletter called “Threat Intel Weekend Reads” that started being published in December 2014. What I tried to do today was to go back to all the newsletter editions of 2016 and select my favorite headline articles. During the upcoming days I will try to deep dive once again and provide more insights on DFIR, Threat Intel and Threat Hunting!  Any feedback would be more than welcome! Enjoy!

January

Intelligence Technology and Tradecraft in 2015 – http://www.cyintanalysis.com/intelligence-technology-and-tradecraft-in-2015/

WEF Global Risks Report 2016 – https://www.weforum.org/reports/the-global-risks-report-2016

ENISA’s Cyber-Threat overview 2015  – https://www.enisa.europa.eu/news/enisa-news/enisa2019s-cyber-threat-overview-2015

Introduction to DFIR – https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/

No, Norse is Not a Bellwether of the Threat Intel Industry but Does Hold Lessons Learned – http://www.robertmlee.org/no-norse-is-not-a-bellwether-of-the-threat-intel-industry-but-does-hold-lessons-learned/

VB2015 paper: Effectively testing APT defences: defining threats, addressing objections to testing, and suggesting some practical approaches – https://www.virusbulletin.com/virusbulletin/2016/01/paper-effectively-testing-apt-defences-defining-threats-addressing-objections-testing-and-suggesting-some-practical-approaches

The Role of Curiosity in Security Investigations – http://chrissanders.org/2016/01/curiosity-in-security-investigations/

Windows Commands Abused by Attackers – http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

Starting Small with Threat Intel – Pt. 1 – https://swannysec.net/2016/01/14/starting-small-with-threat-intelligence-pt-1.html

 

February

NSA’s TAO Head on Internet Offense and Defense – https://www.schneier.com/blog/archives/2016/02/nsas_tao_on_int.html

Starting Small with Threat Intel – Pt. 2 – https://swannysec.net/2016/02/05/starting-small-with-threat-intel-pt-2.html

Themes, Personal Notes, & Resources From SANS CTI Summit 2016 – http://www.cyintanalysis.com/themes-personal-notes-resources-from-sans-cti-summit-2016/

Thoughts on the ICS-CERT Ukraine Cyber Attack Report – https://ics.sans.org/blog/2016/02/25/thoughts-on-the-ics-cert-ukraine-cyber-attack-report/

FireEye Releases Mandiant M-Trends Report with Insights from Advanced Attack Investigations – https://www.fireeye.com/company/press-releases/2016/fireeye-releases-mandiant-m-trends-report-with-insights-from-adv.html

Greater Visibility Through PowerShell Logging – https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Detecting Offensive PowerShell Attack Tools – https://adsecurity.org/?p=2604

 

March

The Problems with Seeking and Avoiding True Attribution to Cyber Attacks – http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/

Questions for Evaluating an External Threat Intelligence Source – http://www.activeresponse.org/questions-for-evaluating-an-external-threat-intelligence-source/

APT Ransomware  – http://carnal0wnage.attackresearch.com/2016/03/apt-ransomware.html

CTI SquadGoals – Setting Requirements – https://sroberts.github.io/2016/03/30/cti-squad-goals-intro-to-requirements/

Conducting Red Team Assessments Without the Use of Malware – https://www.fireeye.com/blog/products-and-services/2016/03/conducting_red_team.html

A Novel WMI Persistence Implementation – https://www.secureworks.com/blog/wmi-persistence

Systems Admins: We Need To Talk. – https://offensivetechblog.wordpress.com/2016/03/29/systems-admins-we-need-to-talk/

Investigating PowerShell: Command and Script Logging – http://forensicmethods.com/investigating-powershell

 

April

PowerShell Takes Center Stage as Attackers Attempt to Cloak Attacks – https://www.carbonblack.com/2016/04/12/powershell-takes-center-stage-as-attackers-attempt-to-cloak-attacks/

How to Write Simple but Sound Yara Rules – Part 3 – https://www.bsk-consulting.de/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/

Hack Back! A DIY Guide – http://pastebin.com/0SNSvyjJ

Tradecraft Tuesday – Hacking Team Breach Overview – https://www.cybrary.it/2016/04/tradecraft-tuesday-hacking-team-compromise-over/

What is Threat Hunting? – https://blindseeker.com/blahg/?p=830

Magical Thinking in Internet Security – https://www.farsightsecurity.com/2016/04/28/vixie-magicalthinking/

Sysmon logs at scale analyzed with Splunk – https://securitylogs.org/2016/05/07/sysmon-logs-at-scale/

Two bytes to $951m – https://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html

Verizon’€™s 2016 Data Breach Investigations Report – http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Cyber Threat Intelligence: Q n As (aka #ctijam) – https://www.linkedin.com/pulse/cyber-threat-intellgience-q-n-aka-ctijam-andreas-sfakianakis

 

May

How to Fall Victim to Advanced Persistent Threats – https://www.bsk-consulting.de/2016/05/04/how-to-fall-victim-to-apt/

Unofficial Guide to Mimikatz & Command Reference – https://adsecurity.org/?page_id=1821

A bomb just dropped in endpoint security… and I’m not sure anyone noticed – http://blog.eckelberry.com/a-bomb-just-dropped-in-endpoint-security-and-im-not-sure-anyone-noticed/

Adversarial Tactics, Techniques & Common Knowledge – https://attack.mitre.org/wiki/Main_Page

Technical Report about the Malware used in the Cyberespionage against RUAG – https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html

Targeted Attacks against Banks in the Middle East – https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

Windows Top 10 Events to monitor from My Dell Enterprise Security Summit Talk – https://hackerhurricane.blogspot.co.uk/2016/05/windows-top-10-events-to-monitor-from.html

 

June

Not All IOC Scanning Is the Same – https://www.bsk-consulting.de/2016/06/12/ioc-scanning-compulsory-and-freestyle/

Hacking Team Breach: A Cyber Jurassic Park – https://blogs.microsoft.com/microsoftsecure/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/

Hunting for Rogue PowerShell Profiles – https://blog.tanium.com/hunting-rogue-powershell-profiles/index.html

Common Ground Part 1: Red Team History & Overview – https://www.sixdub.net/?p=705

Common Ground: Planning is Key – https://www.sixdub.net/?p=709

Why Ransomware? Why Now? How Intelligence Would Address Infosec Questions – https://medium.com/@thegrugq/why-ransomware-why-now-bd1395a147cb#.rm7t4bfpt

Bears in the Midst: Intrusion into the Democratic National Committee – https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Where My Admins At? (GPO Edition) – http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/

The Windows PowerShell Cheat Sheet is now available! – https://hackerhurricane.blogspot.co.uk/2016/06/the-windows-powershell-cheat-sheet-is.html

How Hired Hackers Got “Complete Control” Of Palantir – https://www.buzzfeed.com/williamalden/how-hired-hackers-got-complete-control-of-palantir?utm_term=.ufP3gO0XWB#.tx1Xbw1mdQ

Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues – https://community.rapid7.com/community/infosec/blog/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues

Who’s afraid of PowerShell security? – https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-powershell-security/

Digital Reconnaissance Fundamentals – http://redteams.net/digitalops/2016/digital-reconnaissance-fundamentals

Shiny Object? Guccifer 2.0 and the DNC Breach – https://www.threatconnect.com/blog/guccifer-2-0-dnc-breach/

Tactical Response – http://frodehommedal.no/presentations/cert-ee-symposium-2016/#/

 

July

The Darker Side of Threat Intelligence: Cyber Stockholm Syndrome – http://www.activeresponse.org/the-darker-side-of-threat-intelligence-cyber-stockholm-syndrome/

The Threat Hunting Project – http://www.threathunting.net/

Common Ground Part 3: Execution and the People Factor – https://www.sixdub.net/?p=714

Spotting the Adversary with Windows Event Log Monitoring (version 2) – https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

dfir.training – http://www.dfir.training/index.php

PS>Attack – https://www.psattack.com/

Mitigations for LSA Credential Exposure | Part 1: Plain-Text Passwords – https://thedefensedude.wordpress.com/2016/07/19/mitigations-for-lsa-credential-exposure-part-1-plain-text-passwords/

How to Build a 404 page not found C2 – http://www.blackhillsinfosec.com/?p=5134

5 Takeaways From The “Building A Strategic Threat Intelligence Program” Webinar – https://www.digitalshadows.com/blog-and-research/5-takeaways-from-the-building-a-strategic-threat-intelligence-program-webinar/

My Thoughts on Threat Hunting – https://findingbad.blogspot.co.uk/2016/07/my-thoughts-on-threat-hunting.html

Intelligence Collection Priorities – https://sroberts.github.io/2016/07/26/intelligence-collection-priorities/

An Important Internal Intelligence Source to Add to Your Collection Plan – http://www.cyintanalysis.com/an-important-internal-intelligence-source-to-add-to-your-collection-plan/

STIX 2.0 – CTI TC Development – https://stixproject.github.io/stix2.0/

 

August

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection – https://adsecurity.org/?p=2921

Automating Detection of Known Malware through Memory Forensics – https://volatility-labs.blogspot.co.uk/2016/08/automating-detection-of-known-malware.html

procfilter – A YARA-integrated process denial framework for Windows- https://github.com/godaddy/procfilter

APT Groups and Operations – https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085

Hunting Lateral Movement- https://findingbad.blogspot.co.uk/2016/08/hunting-lateral-movement.html

How to Build Your Own Penetration Testing Drop Box – http://www.blackhillsinfosec.com/?p=5156

The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group? – https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/

Equation Group Firewall Operations Catalogue – https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Defining Cyber Threat Intelligence – https://ctianalys.is/2016/08/22/defining-cyber-threat-intelligence/

Threat Intelligence Definition: What is Old is New Again – http://www.activeresponse.org/threat-intelligence-definition-old-new/

Intelligence Defined and its Impact on Cyber Threat Intelligence – http://www.robertmlee.org/intelligence-defined-and-its-impact-on-cyber-threat-intelligence/

Threat intelligence report for the telecommunications industry – https://securelist.com/analysis/publications/75846/threat-intelligence-report-for-the-telecommunications-industry/

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence) – http://www.cyintanalysis.com/examining-recent-ransomware-infection-techniques-and-some-thoughts-on-consuming-intelligence/

The Laws of Cyber Threat: Diamond Model Axioms – http://www.activeresponse.org/diamond-model-axioms/

FIRST announces Traffic Light Protocol (TLP) version 1.0 – https://www.first.org/newsroom/releases/20160831

RIPPER ATM Malware and the 12 Million Baht Jackpot – https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html

A Guide to Cyber Threat Hunting Operations- http://www.infosecurity-magazine.com/opinions/a-guide-to-cyber-threat-hunting/

Updated EDR sheet – http://www.hexacorn.com/blog/2016/08/12/updated-edr-sheet/

 

September

Some Favorite DerbyCon 6 Talks (2016)  – https://adsecurity.org/?p=3238

Let the benchmarks hit the floor: Autopsy vs Encase vs FTK vs X-Ways (in depth testing) – https://binaryforay.blogspot.co.uk/2016/09/let-benchmarks-hit-floor-autopsy-vs.html

Welcome to the Cyber Analytics Repository – https://car.mitre.org/wiki/Main_Page

All The Rosetta Stones! – http://www.cyintanalysis.com/all-the-rosetta-stones/

Categories of Abnormal – https://findingbad.blogspot.co.uk/2016/09/categories-of-abnormal.html

Snagging creds from locked machines – https://room362.com/post/2016/snagging-creds-from-locked-machines/

Five Attributes of an Effective Corporate Red Team – http://blog.ioactive.com/2016/09/five-attributes-of-effective-corporate.html

A Simple, Free, and Fast Open Source Workflow For Processing Indicators – http://www.cyintanalysis.com/a-simple-free-and-fast-open-source-workflow-for-processing-indicators/

BloodHound – https://github.com/adaptivethreat/BloodHound

Congressional Report Slams OPM on Data Breach – http://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/

Indicators and Security Analytics: Their Place in Detection and Response – http://www.activeresponse.org/indicators-and-analytics-in-detection-and-response/

How to Hunt: Detecting Persistence & Evasion with the COM – https://www.endgame.com/blog/how-hunt-detecting-persistence-evasion-com

KrebsOnSecurity Hit With Record DDoS – https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

Future attack scenarios against ATM authentication systems – https://securelist.com/analysis/publications/76099/future-attack-scenarios-against-atm-authentication-systems/

Chasing APTs: How a Hunt Evolves – http://good-hunting.infocyte.com/2016/09/22/chasing-apts-how-a-hunt-evolves/

Unfetter – https://iadgov.github.io/unfetter/

The Effects of Opening Move Selection on Investigation Speed – http://chrissanders.org/2016/09/effects-of-opening-move-investigation-speed/

Detecting Data Staging & Exfil Using the Producer-Consumer Ratio – https://detect-respond.blogspot.co.uk/2016/09/detecting-data-staging-exfil-using-PCR-shift.html

Defining Threat Intelligence Requirements – https://isc.sans.edu/diary/Defining%2BThreat%2BIntelligence%2BRequirements/21519

Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA) – https://www.europol.europa.eu/newsroom/news/relentless-growth-of-cybercrime

Active Directory Risk Auditing with BloodHound – https://thedefensedude.wordpress.com/2016/09/28/active-directory-risk-auditing-with-bloodhound/

Mind Games: International Championship – Intelligence Agency Calculus – https://medium.com/@thegrugq/mind-games-international-championship-cc143febb793#.c5isyp81w

Hunter’s Tool Chest: Sysmon – https://medium.com/@jshlbrd/hunters-tool-chest-sysmon-1b26896f7d47#.galvzxxz6

 

October

Securing Windows Workstations: Developing a Secure Baseline  – https://adsecurity.org/?p=3299

The Diamond Model and Network Based Threat Replication – https://www.sixdub.net/?p=762

The Windows Logging, File and Registry Auditing Cheat Sheets updated for Windows 10 and some cleanup and additions – https://hackerhurricane.blogspot.co.uk/2016/10/the-windows-logging-file-and-registry.html

Why Threat Intelligence Sharing is Not Working: Towards An Incentive-Based Model – http://www.activeresponse.org/threat-intelligence-sharing-not-working-towards-incentive-based-model/

Approaches to Threat Hunting – http://good-hunting.infocyte.com/2016/10/03/approaches-to-threat-hunting/

The $5 Vendor-Free Crash Course: Cyber Threat Intel – https://tisiphone.net/2016/10/04/the-5-vendor-free-crash-course-cyber-threat-intel/

Nation State Threat Attribution: a FAQ – https://tisiphone.net/2016/10/11/threat-attribution-faq/

Increased Use of WMI for Environment Detection and Evasion – https://www.fireeye.com/blog/threat-research/2016/10/increased_use_ofwmi.html

Scale-out Security Event Processing for detection and analysis.- https://medium.com/@henrikjohansen/scale-out-security-event-processing-for-detection-and-analysis-c756e0d188a4#.svdx3fxhk

The Empire Strikes Back – http://www.harmj0y.net/blog/empire/the-empire-strikes-back/

Mapping Mirai: A Botnet Case Study – https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html

Invoke-Obfuscation v1.1 (coming Sunday, Oct 9) – http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9

Building Threat Hunting Strategies with the Diamond Model – http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/

Cyber: Ignore the Penetration Testers – https://medium.com/@thegrugq/cyber-ignore-the-penetration-testers-900e76a49500#.i055n3f1c

Net Cease – Hardening Net Session Enumeration – https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

Threat Hunting – A Tale of Wishful Thinking and Willful Ignorance … – http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance/

Common Red Team Techniques vs Blue Team Controls Infographic – https://blog.netspi.com/common-red-team-techniques-vs-blue-team-controls-infographic/

More Detecting Obfuscated PowerShell – http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/

MISP -The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform – https://www.researchgate.net/publication/309413369_MISP_-The_Design_and_Implementation_of_a_Collaborative_Threat_Intelligence_Sharing_Platform

 

November

Securing Domain Controllers to Improve Active Directory Security  – https://adsecurity.org/?p=3377

Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations – https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations

Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident – https://www.digitalshadows.com/blog-and-research/leak-on-aisle-12-an-analysis-of-competing-hypotheses-for-the-tesco-bank-incident/

Moving Beyond EMET – https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/

The Hunter’s Den: Internal Reconnaissance (Part 1) – http://blog.sqrrl.com/the-hunters-den-internal-reconnaissance-part-1

Kerberoasting Without Mimikatz – http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

2016 Targeted Threats in Review – What We’ve Learned – http://www.activeresponse.org/2016-targeted-threats/

Pentest Toolbox Additions 2016 – https://www.tripwire.com/state-of-security/security-data-protection/pentest-toolbox-additions-2016/

On Nation States and Sophistication – http://carnal0wnage.attackresearch.com/2016/11/on-nation-states-and-sophistication.html

Digging Into Sysinternals: PsExec – https://medium.com/@mbromileyDFIR/digging-into-sysinternals-psexec-64c783bace2b#.8a17aotzs

Extending Linux Executable Logging With The Integrity Measurement Architecture – https://www.fireeye.com/blog/threat-research/2016/11/extending_linux_exec.html

Introducing TheHive – https://blog.thehive-project.org/2016/11/07/introducing-thehive/

Independence and Threat Intelligence Platforms – http://www.misp-project.org/2016/11/16/Independence-and-Threat-Intelligence-Platforms.html

Kaspersky Security Bulletin. Predictions for 2017 – https://securelist.com/analysis/kaspersky-security-bulletin/76660/kaspersky-security-bulletin-predictions-for-2017/

The Hunting Cycle and Measuring Success – https://findingbad.blogspot.co.uk/2016/11/the-hunting-cycle-and-measuring-success.html

Digital Forensics / Incident Response – The Definitive Compendium Project – https://docs.google.com/spreadsheets/d/1JY-iyw-LEuPCkBAdjorMJhmhGRusN95eLmejWcky7XU/edit#gid=0

Microsoft replaces cmd.exe with PowerShell in latest Win10 build – http://www.itnews.com.au/news/microsoft-replaces-cmdexe-with-powershell-in-latest-win10-build-442016

How to write security alerts – https://summitroute.com/blog/2016/11/22/how_to_write_security_alerts/

ATT&CK™ Gaining Ground – https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-gaining-ground

FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region – https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

SplunkConf 2016: Using Splunk to hunt for malicious PowerShell usage – https://www.peerlyst.com/posts/splunkconf-2016-using-splunk-to-hunt-for-malicious-powershell-usage-by-ryan-chapman-and-lisa-tawfall-ron-hardy<

Hunting for Malware Critical Process Impersonation – https://detect-respond.blogspot.co.uk/2016/11/hunting-for-malware-critical-process.html

Uncover insider threats, blind spots in your network with Advanced Threat Analytics – https://blogs.technet.microsoft.com/enterprisemobility/2016/11/07/uncover-insider-threats-blind-spots-in-your-network-with-advanced-threat-analytics/

 The Purple Team Pentest – https://technicalinfodotnet.blogspot.co.uk/2016/11/the-purple-team-pentest.html

6 Red Team Infrastructure Tips – https://cybersyndicates.com/2016/11/top-red-team-tips/

20 Questions Smart Security Pros Should Ask About 'Intelligence' – http://www.darkreading.com/operations/20-questions-smart-security-pros-should-ask-about-intelligence-/a/d-id/1327565

Hunting For and Detecting Advanced Threats with Sysmon – http://www.vector8.io/blog/sysmon
 

December

How do security professionals study threat actors, & why do we do it? – https://tisiphone.net/2016/12/12/how-do-security-professionals-study-threat-actors-why-do-we-do-it/

SAMRi10: Windows 10 hardening tool for thwarting network recon – https://www.helpnetsecurity.com/2016/12/01/samri10-windows-10-hardening/

Detect Endpoint Threats by Analyzing Process Logs in QRadar – https://securityintelligence.com/detect-endpoint-threats-by-analyzing-process-logs-in-qradar/

The increased use of PowerShell in attacks – https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

Threat Intelligence – https://manhattanmennonite.blogspot.co.uk/2016/12/threat-intelligence.html

“Sophisticated” and “Genius” Shamoon 2.0 Malware Analysis – https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis

Windows 10: protection, detection, and response against recent Depriz malware attacks – https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

Evidence of Attackers’ Development Environment Left in Shortcut Files – http://blog.jpcert.or.jp/2016/12/evidence-of-att-3388.html

Unprotect Project – http://unprotect.tdgt.org/index.php/Unprotect_Project

Sysmon – The Best Free Windows Monitoring Tool You Aren’t Using – http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/

Windows Wednesday: Application Compatibility Cache – https://medium.com/@mbromileyDFIR/windows-wednesday-shim-cache-1997ba8b13e7#.ht7717lyb

The Great Cyber Game: Commentary (2) – Analysis of a message of messages containing messages – https://medium.com/@thegrugq/the-great-cyber-game-commentary-2-33c9b79ca8ac#.79ozlt1yj

Will Advanced Threat Analytics help me with all operating systems? – https://blogs.technet.microsoft.com/enterprisemobility/2016/12/12/will-advanced-threat-analytics-help-me-with-non-windows-oss/

PowerShell Logging for the Blue Team – http://www.blackhillsinfosec.com/?p=5516

Learning From A Year of Security Breaches – https://medium.com/starting-up-security/learning-from-a-year-of-security-breaches-ed036ea05d9b#.q7413c6nd

Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units – https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/

My Favorite Threat Intel Tweets of 2016 – http://www.cyintanalysis.com/my-favorite-threat-intel-tweets-of-2016/

The Incident Response Hierarchy of Needs – https://github.com/swannman/ircapabilities

Working with Sysmon – https://haveyousecured.blogspot.co.uk/2016/12/working-with-sysmon.html

The Kings In Your Castle Part 5: APT correlation and do-it-yourself threat research – https://cyber.wtf/2016/12/15/the-kings-in-your-castle-part-5-apt-correlation-and-do-it-yourself-threat-research/

Technical developments in Cryptography: 2016 in Review – https://www.eff.org/deeplinks/2016/12/what-happened-crypto-2016

Tor and its Discontents – https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908#.tvynghjpa

Insider Threats: “The Shadow Brokers” Likely Did Not Hack the NSA – https://www.flashpoint-intel.com/insider-threats-shadow-brokers-likely-not-hack-nsa/