Threat Intel Annual Reads 2016

Some of you may or may not know my weekly newsletter called “Threat Intel Weekend Reads” that started being published in December 2014. What I tried to do today was to go back to all the newsletter editions of 2016 and select my favorite headline articles. During the upcoming days I will try to deep dive once again and provide more insights on DFIR, Threat Intel and Threat Hunting!  Any feedback would be more than welcome! Enjoy!


Intelligence Technology and Tradecraft in 2015 –

WEF Global Risks Report 2016 –

ENISA’s Cyber-Threat overview 2015  –

Introduction to DFIR –

No, Norse is Not a Bellwether of the Threat Intel Industry but Does Hold Lessons Learned –

VB2015 paper: Effectively testing APT defences: defining threats, addressing objections to testing, and suggesting some practical approaches –

The Role of Curiosity in Security Investigations –

Windows Commands Abused by Attackers –

Starting Small with Threat Intel – Pt. 1 –



NSA’s TAO Head on Internet Offense and Defense –

Starting Small with Threat Intel – Pt. 2 –

Themes, Personal Notes, & Resources From SANS CTI Summit 2016 –

Thoughts on the ICS-CERT Ukraine Cyber Attack Report –

FireEye Releases Mandiant M-Trends Report with Insights from Advanced Attack Investigations –

Greater Visibility Through PowerShell Logging –

Detecting Offensive PowerShell Attack Tools –



The Problems with Seeking and Avoiding True Attribution to Cyber Attacks –

Questions for Evaluating an External Threat Intelligence Source –

APT Ransomware  –

CTI SquadGoals – Setting Requirements –

Conducting Red Team Assessments Without the Use of Malware –

A Novel WMI Persistence Implementation –

Systems Admins: We Need To Talk. –

Investigating PowerShell: Command and Script Logging –



PowerShell Takes Center Stage as Attackers Attempt to Cloak Attacks –

How to Write Simple but Sound Yara Rules – Part 3 –

Hack Back! A DIY Guide –

Tradecraft Tuesday – Hacking Team Breach Overview –

What is Threat Hunting? –

Magical Thinking in Internet Security –

Sysmon logs at scale analyzed with Splunk –

Two bytes to $951m –

Verizon’€™s 2016 Data Breach Investigations Report –

Cyber Threat Intelligence: Q n As (aka #ctijam) –



How to Fall Victim to Advanced Persistent Threats –

Unofficial Guide to Mimikatz & Command Reference –

A bomb just dropped in endpoint security… and I’m not sure anyone noticed –

Adversarial Tactics, Techniques & Common Knowledge –

Technical Report about the Malware used in the Cyberespionage against RUAG –

Targeted Attacks against Banks in the Middle East –

Windows Top 10 Events to monitor from My Dell Enterprise Security Summit Talk –



Not All IOC Scanning Is the Same –

Hacking Team Breach: A Cyber Jurassic Park –

Hunting for Rogue PowerShell Profiles –

Common Ground Part 1: Red Team History & Overview –

Common Ground: Planning is Key –

Why Ransomware? Why Now? How Intelligence Would Address Infosec Questions –

Bears in the Midst: Intrusion into the Democratic National Committee –

Where My Admins At? (GPO Edition) –

The Windows PowerShell Cheat Sheet is now available! –

How Hired Hackers Got “Complete Control” Of Palantir –

Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues –

Who’s afraid of PowerShell security? –

Digital Reconnaissance Fundamentals –

Shiny Object? Guccifer 2.0 and the DNC Breach –

Tactical Response –



The Darker Side of Threat Intelligence: Cyber Stockholm Syndrome –

The Threat Hunting Project –

Common Ground Part 3: Execution and the People Factor –

Spotting the Adversary with Windows Event Log Monitoring (version 2) – –

PS>Attack –

Mitigations for LSA Credential Exposure | Part 1: Plain-Text Passwords –

How to Build a 404 page not found C2 –

5 Takeaways From The “Building A Strategic Threat Intelligence Program” Webinar –

My Thoughts on Threat Hunting –

Intelligence Collection Priorities –

An Important Internal Intelligence Source to Add to Your Collection Plan –

STIX 2.0 – CTI TC Development –



PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection –

Automating Detection of Known Malware through Memory Forensics –

procfilter – A YARA-integrated process denial framework for Windows-

APT Groups and Operations

Hunting Lateral Movement-

How to Build Your Own Penetration Testing Drop Box –

The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group? –

Equation Group Firewall Operations Catalogue –

Defining Cyber Threat Intelligence –

Threat Intelligence Definition: What is Old is New Again –

Intelligence Defined and its Impact on Cyber Threat Intelligence –

Threat intelligence report for the telecommunications industry –

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence) –

The Laws of Cyber Threat: Diamond Model Axioms –

FIRST announces Traffic Light Protocol (TLP) version 1.0 –

RIPPER ATM Malware and the 12 Million Baht Jackpot –

A Guide to Cyber Threat Hunting Operations-

Updated EDR sheet –



Some Favorite DerbyCon 6 Talks (2016)  –

Let the benchmarks hit the floor: Autopsy vs Encase vs FTK vs X-Ways (in depth testing) –

Welcome to the Cyber Analytics Repository –

All The Rosetta Stones! –

Categories of Abnormal –

Snagging creds from locked machines –

Five Attributes of an Effective Corporate Red Team –

A Simple, Free, and Fast Open Source Workflow For Processing Indicators –

BloodHound –

Congressional Report Slams OPM on Data Breach –

Indicators and Security Analytics: Their Place in Detection and Response –

How to Hunt: Detecting Persistence & Evasion with the COM –

KrebsOnSecurity Hit With Record DDoS –

Future attack scenarios against ATM authentication systems –

Chasing APTs: How a Hunt Evolves –

Unfetter –

The Effects of Opening Move Selection on Investigation Speed –

Detecting Data Staging & Exfil Using the Producer-Consumer Ratio –

Defining Threat Intelligence Requirements –

Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA) –

Active Directory Risk Auditing with BloodHound –

Mind Games: International Championship – Intelligence Agency Calculus –

Hunter’s Tool Chest: Sysmon –



Securing Windows Workstations: Developing a Secure Baseline  –

The Diamond Model and Network Based Threat Replication –

The Windows Logging, File and Registry Auditing Cheat Sheets updated for Windows 10 and some cleanup and additions –

Why Threat Intelligence Sharing is Not Working: Towards An Incentive-Based Model –

Approaches to Threat Hunting –

The $5 Vendor-Free Crash Course: Cyber Threat Intel –

Nation State Threat Attribution: a FAQ –

Increased Use of WMI for Environment Detection and Evasion –

Scale-out Security Event Processing for detection and analysis.-

The Empire Strikes Back –

Mapping Mirai: A Botnet Case Study –

Invoke-Obfuscation v1.1 (coming Sunday, Oct 9) –

Building Threat Hunting Strategies with the Diamond Model –

Cyber: Ignore the Penetration Testers –

Net Cease – Hardening Net Session Enumeration –

Threat Hunting – A Tale of Wishful Thinking and Willful Ignorance … –

Common Red Team Techniques vs Blue Team Controls Infographic –

More Detecting Obfuscated PowerShell –

MISP -The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform –



Securing Domain Controllers to Improve Active Directory Security  –

Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations –

Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident –

Moving Beyond EMET –

The Hunter’s Den: Internal Reconnaissance (Part 1) –

Kerberoasting Without Mimikatz –

2016 Targeted Threats in Review – What We’ve Learned –

Pentest Toolbox Additions 2016 –

On Nation States and Sophistication –

Digging Into Sysinternals: PsExec –

Extending Linux Executable Logging With The Integrity Measurement Architecture –

Introducing TheHive –

Independence and Threat Intelligence Platforms –

Kaspersky Security Bulletin. Predictions for 2017 –

The Hunting Cycle and Measuring Success –

Digital Forensics / Incident Response – The Definitive Compendium Project –

Microsoft replaces cmd.exe with PowerShell in latest Win10 build –

How to write security alerts –

ATT&CK™ Gaining Ground –

FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region –

SplunkConf 2016: Using Splunk to hunt for malicious PowerShell usage –<

Hunting for Malware Critical Process Impersonation –

Uncover insider threats, blind spots in your network with Advanced Threat Analytics –

 The Purple Team Pentest –

6 Red Team Infrastructure Tips –

20 Questions Smart Security Pros Should Ask About 'Intelligence' –

Hunting For and Detecting Advanced Threats with Sysmon –


How do security professionals study threat actors, & why do we do it? –

SAMRi10: Windows 10 hardening tool for thwarting network recon –

Detect Endpoint Threats by Analyzing Process Logs in QRadar –

The increased use of PowerShell in attacks –

Threat Intelligence –

“Sophisticated” and “Genius” Shamoon 2.0 Malware Analysis –

Windows 10: protection, detection, and response against recent Depriz malware attacks –

Evidence of Attackers’ Development Environment Left in Shortcut Files –

Unprotect Project –

Sysmon – The Best Free Windows Monitoring Tool You Aren’t Using –

Windows Wednesday: Application Compatibility Cache –

The Great Cyber Game: Commentary (2) – Analysis of a message of messages containing messages –

Will Advanced Threat Analytics help me with all operating systems? –

PowerShell Logging for the Blue Team –

Learning From A Year of Security Breaches –

Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units –

My Favorite Threat Intel Tweets of 2016 –

The Incident Response Hierarchy of Needs –

Working with Sysmon –

The Kings In Your Castle Part 5: APT correlation and do-it-yourself threat research –

Technical developments in Cryptography: 2016 in Review –

Tor and its Discontents –

Insider Threats: “The Shadow Brokers” Likely Did Not Hack the NSA –


4 thoughts on “Threat Intel Annual Reads 2016

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.