I feel like the way some CTI research are done are fundamentally flawed sometimes. A lot of the times people treat each clue at face value. I think it's better to reserve judgment sometimes before confidently saying this or this must be X.
"Where is the sample submitted from? UK? The victim must be from UK then!" whilst ignoring the possiblity that the victim might have a VPN on since they're so prevelant these days, or even the possibility that the actor was the one who submitted it in the first place.
You can deduce and come to the conclusion that UK is a possible targeted country by checking if there has been a healthy stream of samples coming from the country, but at the same time who's to say a TA isn't poisoning the sample pool by submitting fake samples from the proposed country?
Similar things can be said about malware family attribution as well - a lot of the times CTI researchers use code overlap as a strong argument for relating one TA to the other, but who's to say someone didn't just read an OSINT report and decided hey that'd be a fun thing to implement in my loader, and or use the same RAT while they're at it?
Idk just food for thought when I'm just lying in bed thinking about things
=> More informations about this toot | More toots from still@infosec.exchange
Also a lot of researchers and or companies rely on certain providers for their source of samples and or intel - what happens after the lead is just gone one day? What do you do then as a researcher?
=> More informations about this toot | More toots from still@infosec.exchange
@still I read a lot of CTI research and have my own preferences at this point.
=> More informations about this toot | More toots from screaminggoat@infosec.exchange
@still You are 100% right, hypothesis made, doubts and intelligence gaps remaining are not properly reported...
=> More informations about this toot | More toots from bongoknight@ioc.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini