Cyber Threat Intelligence 101: This #BSidesNoVA 2025 workshop will present an introduction to the basic concepts of threat analysis, leveraging open-source tools, and processing threat intelligence reports in support of computer network defense and incident response. #CTI

Register: https://tinyurl.com/bsidesnova2025tix

We are pleased to announce the release of MISP v2.5.22.

This release brings new features, improvements, fixes, and important updates to keep MISP stable and up to date.

https://www.misp-project.org/2025/10/02/misp.2.5.22.released.html/

From C to Python to Rust: How We Built a Fast URL Parser in 3 Days

When our @ail_project (https://github.com/ail-project) started hitting performance walls with URL processing, we knew we needed a change. We were using Faup (https://github.com/stricaud/faup), a capable C library, but faced two growing pains: architectural portability issues and cumbersome Python binding installations. Our first attempt was rewriting it in Python - which solved the installation problems but created new performance bottlenecks when processing millions of URLs.

That's when we decided to try Rust. Three days later, we had faup-rs (https://github.com/ail-project/faup-rs) - a zero-allocation URL parser with full Python bindings (https://pypi.org/project/pyfaup-rs/).

What made this possible? Two incredible Rust ecosystem tools:
- Pest (https://github.com/pest-parser/pest) - it might look a bit hostile at first, but this parser generator has consistently saved us weeks of development time across multiple projects. You define the grammar, and Pest handles a lot of the parsing magic.
- PyO3 (https://github.com/PyO3) - which made creating Python bindings almost effortless.

The result speaks for itself:
- Fast URL parsing callable from Python
- True cross-platform compatibility
- Simple pip installation
- Zero allocations during parsing

This experience reinforced an important lesson: when you hit fundamental performance limits, sometimes the fastest solution is rewriting your bottleneck in Rust. The language's combination of speed, safety, and growing ecosystem makes these kinds of transformations not just possible, but practical even on tight timelines.

You can try it today:
- Rust crate: https://crates.io/crates/faup-rs
- Python package: https://pypi.org/project/pyfaup-rs

As always, it is open-source and you can check it out: https://github.com/ail-project/faup-rs

Did you know? ⟶ CrowdSec CTI includes rich metadata like whether an IP is a VPN, TOR exit node, residential proxy, or botnet actor.

This makes our CTI perfect for attribution and escalation decisions.

Learn more https://crowdsec.net/cyber-threat-intelligence

Questo ennesimo articolo “contro” ChatControl sarà assolutamente inutile?

Link all'articolo : https://www.redhotcyber.com/post/questo-ennesimo-articolo-contro-chatcontrol-sara-assolutamente-inutile/

Learn from the master, @klrgrz during this all-day beginner #CTI workshop at #BSidesNoVA!

Workshop description: https://bsidesnova-2025.sessionize.com/session/968295

Purchase tickets: https://www.eventbrite.com/e/bsidesnova-2025-hacker-u-october-10-11-arlington-va-tickets-1663744457459

We are pleased to announce the release of MISP v2.5.21.

This version introduces new features affecting the various correlation tools, important fixes, and various updates to objects, taxonomies, and galaxy.

#cti #opensource #threatintelligence #misp #cybersecurity

https://www.misp-project.org/2025/09/11/misp.2.5.21.released.html/

https://discourse.ossbase.org/t/misp-2-5-21-released-with-a-new-recorrelate-feature-various-fixes-and-updates/714

Did you know? ⟶ CrowdSec is one of the only threat intelligence platforms built on community defense.

This means that the more you use it, the stronger it becomes for everyone.

Learn more about the largest crowdsourced CTI network https://www.crowdsec.net/cyber-threat-intelligence

Could some people here be interested in a stream/blogpost/threads about threat hunting methodology?

I plan to use real world examples found in Cloudflare Top 1M domains. Boosts are welcome!

The Untold Story of CTI Summer Jazz Albums – 1972

The Curious Case of “CTI Summer Jazz at the Hollywood Bowl” - Doug tackles the details, many you won't know, we have a track by track playlist from the All-Stars live also 1972.

https://www.ctproduced.com/the-untold-story-of-cti-summer-jazz-recording-1972/

I’ve refreshed the “General Methodologies for Intelligence Analysis” section on threat-intelligence.eu

The page was a bit dated, so it now has cleaner references, better structure, and direct links to practical models (including MISP taxonomies).

https://threat-intelligence.eu/methodologies/

Contributions and ideas are more than welcome.

#cti #threatintelligence #opensource #community #cybersecurity #analyst

@misp

“The Beginning and Ending of Threat Actors” by @jfslowik

“Instead, Volt Typhoon becomes a construct: a cluster of linked actions, behavioral tendencies, and targeting preferences linked to PRC interests.”

This article provides a concise and clear overview of what often happens with threat actor labeling. If you are working in “threat intelligence,” read it carefully, then read it again, and review all the labels you use for different threat actors. You might be surprised to discover that many of them fall into the category of “constructed intelligence.”

This blog post could be the start of a book about accurate threat intelligence.

#cti #threatintel #threatintelligence #voltyphoon #cybersecurity

https://pylos.co/2025/08/29/the-beginning-and-ending-of-threat-actors/

@cR0w BlackBasta liked Stark Industries based on my chat leak analysis of their root server ASNs. Here’s a list of their top 30 ASNs by IP count, absolutely zero surprises:

432, AS206728 (Media Land LLC - Russia)
126, AS20473 (The Constant Company - US)
97, AS215376 (Media Land Cloud - Russia)
54, AS24940 (Hetzner Online GmbH - Germany)
19, AS210644 (AEZA International Ltd. - Great Britian)
18, AS142036 (Hosteons Pte. Ltd. - Singapore)
16, AS200019 (Alexhost SRL - Moldova)
15, AS62904 (Eonix Corporation - US)
13, AS204601 (Zomro B.V. - Netherlands)
12, AS58061 (Scalaxy B.V. - Latvia)
12, AS14061 (Digital Ocean - US)
11, AS39568 (Asia Wireless Group MChJ QK - Uzbekistan)
11, AS174 (Cogent Communications - US)
10, AS51765 (Oy Crea Nova Hosting Solution Ltd - Finland)
10, AS216024 (Aleksei Fedorov PR Krusevac - Serbia)
8, AS47583 (Hostinger International - Cyprus)
6, AS16276 (OVH SAS - France)
5, AS44477 (PQ Hosting Plus S.R.L. - Moldova)
5, AS36352 (HostPapa - US)
5, AS29802 (Hivelocity - US)
5, AS206804 (EstNOC OY - Estonia)
5, AS16276 (OVH SAS - France)
4, AS395954 (Leaseweb USA - US)
4, AS29551 (Aixit GmbH - Germany)
4, AS216300 (Closed Joint Stock Company AbkhazMedia - Georgia)
4, AS213230 (Hetzner Online GmbH - Germany)
4, AS212317 (Hetzner Online GmbH - Germany)
4, AS209132 (Alviva Holding Limited - Seychelles)
4, AS202015 (HZ Hosting Ltd. - Bulgaria)
4, AS19148 (LeaseWeb USA, Inc. - US)

RansomLook 1.9.0 – Sunny Release

We’re excited to announce version 1.9.0 of RansomLook, marking a major milestone:
2,000 onion sites monitored!

This release improves stability, extends coverage, and strengthens resilience against unstable or short-lived leak sites.

https://github.com/RansomLook/RansomLook/releases/tag/1.9.0

https://ransomlook.io

We are pleased to announce the release of MISP v2.5.18, featuring a brand-new on-demand correlation engine, new improved task scheduling, Forgejo CI integration, and a wide range of fixes and refinements.

#misp #threatintelligence #cti #tip #cybersecurity #opensource

For more details: https://www.misp-project.org/2025/08/20/misp.2.5.18.released.html/

“I am not a teacher, but an awakener.” – Robert Frost (1874-1963)

Lead a 4-hr or 8-hr #BSidesNoVA workshop on Friday, October 10th in Arlington, VA and awaken *your* love for #Hacking, #InfoSec, #CTI, or #DataPrivacy in someone!

Submit a workshop idea by August 18th!
https://sessionize.com/bsidesnova-2025/

Great write-up on a kind of threat that is not enough tracked by security companies. It's long but well explained and you have probably already crossed the path of Vextrio without knowing it, so it's worth your read.

https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/

Did you know? ⟶ CrowdSec's CTI database holds detailed behavior profiles for over 50 million IPs.

It goes beyond simple reputation feeds and gives your SOC team real context like attack methods, frequency, targets, and geolocation.

You can explore the behavior profiles here: https://app.crowdsec.net/cti

When I added the threat-actor @misp galaxy type on Mar 4, 2016, I didn’t expect that, years later, vendors would still invent new names for already known threat actors, avoid using UUIDs, reuse similar names for different actors, and create confusing names by mixing tools or software used by the actors.

That’s why we continue the tedious work of maintaining a proper threat-actor database, with relationships to other galaxies such as MITRE ATT&CK, Malpedia, and more.

After years of this monastic effort, we’re seeing the benefits—many open-source and proprietary tools now rely on the MISP galaxy, which serves as both an open standard and a public knowledge base.

We also maintain a dedicated website for all MISP galaxies. Here’s an example from the threat-actor database:
https://www.misp-galaxy.org/threat-actor/relations/fa80877c-f509-4daf-8b62-20aba1635f68/

Repository https://github.com/MISP/misp-galaxy/
Public website https://www.misp-galaxy.org/threat-actor/

If you’d like to become a monk (just kidding!) and contribute, feel free to open an issue or submit a pull request on the misp-galaxy repo.

In MISP, you can directly benefit from all the galaxies, and you also have advanced functionalities like forking and maintaining an up-to-date private version of the threat-actor database.