All news with #threat hunting tag

🛡️ Employees are commonly labeled "the last line of defense," but this article argues that such expectations misplace responsibility. The real human layer is the trained security team—CISOs, SOC analysts and threat hunters—whose capacity is being consumed by high false-positive volumes and noisy user-reporting. Organizations should reduce alert noise, improve tooling and restore analyst capacity rather than relying on broader awareness programs.

🤖 AI accelerates attackers' ability to craft targeted social engineering, but defenders can leverage the same capabilities to create decoy personas and AI-generated employees that attract malicious profiling tools. By planting social posts, CVs, emails, and messaging accounts for fictitious staff, teams can detect reconnaissance, update IP/URL blocklists, and treat any interaction with those accounts as hostile telemetry. This approach turns attacker tooling into a source of actionable threat intelligence and enables rapid blocking and investigation.

🧭 I spent a day using Corelight's Investigator NDR to learn how network detection and response supports SOC workflows. The interface prioritized high-risk detections, showed packet-level evidence and MITRE ATT&CK context, and let me dig into suspicious DNS, reverse shells, and exploit tool activity. Built-in GenAI provided step-by-step investigative actions, and integrations with SIEM, EDR and firewalls demonstrated how NDR enriches and correlates network telemetry for faster triage.

🛡️ Purple teaming has become transactional and shallow, creating a false sense of security. Standard engagements often highlight the bypass or the “win” without exploring what happens next, leaving invisible omissions that matter most under pressure. Two mature organizations were deeply compromised despite apparent controls, and embedded AI did not change the outcome. The article argues for rehearsal, co-ownership, and a shift to outcome-driven, systems-level thinking.

🔁 CrowdStrike describes a continuous human-AI feedback loop that pairs expert analysts with agentic AI to detect, investigate, and contain threats at machine speed. Human-annotated telemetry from Falcon Complete and Adversary OverWatch trains and reinforces models such as Charlotte AI, improving triage accuracy and reducing investigator effort. The system emphasizes analyst-validated reasoning to handle novel tradecraft and minimize false positives.

🔒 Many security leaders live with a practical paradox: the organization that appears secure on paper often coexists with a messier, attacker-facing reality. The author uses Schrödinger’s cat to show that without direct observation—alerts, correlated logs, or third-party findings—you cannot know whether you are safe or compromised. The piece reframes security as an observation problem, urging measurement of telemetry coverage, operationalized threat hunting, and cultural change that rewards surfacing ambiguity rather than hiding it.

🔎 Unit 42 demonstrates a practical method to map cloud alert events to MITRE ATT&CK tactics and techniques and use the resulting alert patterns as operational fingerprints for known threat actors. The study examined alerts from cloud providers, containers, cloud-hosted applications, and SaaS across 22 industries between June 2024 and June 2025. Comparing cybercrime actor Muddled Libra and nation-state group Silk Typhoon, researchers found distinct, identifiable alert fingerprints and recommend proactive monitoring and mitigation, including Cortex Cloud runtime detection.

🔎 Unit 42 details a newly tracked, state-aligned cyberespionage group labeled TGR-STA-1030 that has targeted government and critical infrastructure across 37 countries. The report documents coordinated phishing using a Diaoyu loader, exploitation of known N-day vulnerabilities, and a transition from Cobalt Strike to Go-based C2 frameworks. It also describes a bespoke Linux eBPF rootkit, ShadowGuard, and provides actionable IoCs (IPs, domains, hashes) to support defenders.

🔎 Analysts often stop at sandboxing and blocklisting, but that approach fails against targeted, multi-stage intrusions. Attribution — linking artifacts to known groups — enables defenders to find related tools, tactics and IOCs and to prioritize remediation. Using the Kaspersky Threat Intelligence Portal, the article shows how TTP correlation, YARA rules and SIEM signatures can accelerate containment and reduce false positives.

🔍 Forecasting in cybersecurity is framed as disciplined habits and clear choices rather than guesswork. The author argues teams trapped in constant incident mode must build a risk culture where weak signals and near misses are captured, named, and acted on without fear. Practical steps include lightweight near-miss logs, explicit decision rights, concise behavioral standards, and a steady operating rhythm of weekly reviews, monthly scenario practices and quarterly tests to shift from reflexive response to proactive foresight.

🛡️Foundry’s Security Priorities Study finds 73% of security decision-makers are now more likely to consider a security solution that uses artificial intelligence, up from 59% a year earlier. CISOs plan to deploy AI for malware and threat detection, anomaly detection, real-time risk prediction, IAM, DLP, automation of responses, and improved visibility. Respondents cited faster detection of unknown threats, accelerated response times, and lower analyst workload. Experts caution against vendor hype, data-quality issues, hallucinations, and governance gaps, and recommend building AI-ready security data platforms.

🔍 The near-total internet blackout Iran imposed on January 8 may offer SOC teams a rare chance to observe and digitally fingerprint government-controlled traffic. Vendors argue that with residential and business noise silenced, remaining connections likely originate from state assets, making them high-confidence signals for threat modeling and short-term intelligence collection. Analysts caution, however, that sophisticated state actors can deceive attribution, legitimate government traffic may be benign, and routing artifacts often disappear once services are restored, so captured data should be treated as contextual input, not definitive proof.

🔍 Terryn Valikodath, Senior Incident Response Consultant at Cisco Talos, describes a role that blends technical investigation with clear communication and proactive planning. He explains how his team balances developing incident response plans, running tabletop exercises and threat hunts with hands-on reactive investigations and remediation. Terryn highlights the reward of teaching through multi-day cyber range trainings and the satisfaction of helping organizations recover and build trust.

🛡️ Cybersecurity frameworks require ongoing reassessment; this article highlights seven warning signs that your program may need substantial revision. Industry experts recommend adopting a dynamic detection-and-response model, integrating AI, and aligning frameworks to NIST while avoiding purely compliance-driven designs. Common problems include failing continuous monitoring, reactive alert triage, declining KRIs/KPIs, and recent incidents. Practical advice: schedule structured reviews, add interim check-ins, and rebuild when incremental fixes no longer suffice.

🔍 Modern SOCs frequently operate in a reactive mode, discovering threats only after incidents escalate. ANY.RUN's Threat Intelligence Lookup augments alerts with behavioral insight, infrastructure links, and sandbox observations so analysts can prioritize high-risk findings. Paired with continuous TI Feeds and industry/geographic attribution, teams reduce noise, speed triage, and tune detections to protect the business proactively.

🔒 Mandiant uses the ThreatSpace cyber range to recreate realistic corporate networks and adversary TTPs without risking production assets. The disposable, stateless environment—backed by Google Threat Intelligence Group and frontline Mandiant insights—lets teams miss indicators, exercise playbooks, and stress-test collaboration under crisis conditions. Paired with unscripted red team assessments, these services reveal operational gaps and drive rapid remediation.

🛡️The NCSC published findings from an Active Cyber Defence 2.0 pilot that evaluated cyber-deception solutions across 121 UK organisations and 14 vendors. The report highlights barriers including inconsistent terminology, a lack of impartial guidance, difficulty producing outcome-based metrics, and risks from misconfiguration. The centre plans large-scale deployment of honeypots, honeytokens and cloud traps and urges planning, continual tuning and peer learning to realise benefits safely.

🐱 The article argues organisations often exist in a 'pre-breach' or "quantum breach" state — effectively both breached and not until they observe their environments. It warns that perimeter-focused measures can be insufficient when attackers steal credentials or use social engineering, and that deploying EDR/XDR without skills can create signal overload. Connolly recommends vendor-led MDR services as a practical path to continuous detection, hunting and remediation.

🔍 The new Saved Searches feature is now live in Google Threat Intelligence (GTI) and VirusTotal, enabling analysts to store complex queries for reuse. Users can save multi-clause, tuned searches and share them with colleagues across their organization to preserve investigative logic and ensure consistency. The release includes public campaign searches from the #monthofgoogletisearch to help teams get started quickly.

🔍 John Lambert of MSTIC argues defenders should model infrastructure as directed graphs of credentials, entitlements, dependencies and logs so they can trace the attacker’s “red thread.” He introduces the algebras of defense—graphs, relational tables, anomalies, and vectors over time—that let analysts and AI ask domain-specific questions like blast radius or path to crown jewels. Lambert also emphasizes preventative hygiene: asset and entitlement management, deprecating legacy systems, segmentation, and phishing-resistant MFA. He urges collaborative intelligence and AI-enabled tooling to shift advantage back to defenders.