IntrusionLabs Blog
Threat intelligence engineering, what fell out of the data this week, and notes from building a public honeypot network in the open. RSS.
After 40 years in security, I'm building the threat intelligence I wish existed
A New Year's resolution from someone who has spent a long career on the receiving end of serious nation-state network threats: build the kind of threat intelligence working CTI analysts deserve, with chain-of-custody, citation-grade provenance, and the rigor that's missing between free feeds and enterprise contracts.
I added one field and found a 4,154-IP botnet
The first HASSH fingerprint I clicked on returned 4,154 source IPs, all running the same SSH client across 10 ASNs and 74 countries. Here's what that means and how the detector works.
How we populate all four intent axes
A month ago our threat classifier was four-valued in schema and two-valued in practice: 259 benign, 9 Tor-suspicious, 0 malicious, 14k unknown. Here's how we finished it, what each axis actually means, and why the reason string behind every verdict is stored on the actor.
A CTI analyst asked me 'who's your customer?' and I had three answers
A CTI analyst friend reviewed intrusionlabs.com last week and her one-line question forced a strategy reset that had been overdue for two months. Here's what she saw, what we'd been hedging on, and who IntrusionLabs is actually built for.
One IP, 23,307 unique passwords, eight hours: anatomy of a 'rise' that wasn't
A 3x spike in our dashboard's attack-volume chart traced to a single Melbikomas-hosted IP burning through 23,307 distinct passwords against root in eight hours, never repeating one, apparently never noticing every login was already 'succeeding.'