🎙️ Avec Yoan Schinck sur le threat hunting en KQL!
Au menu:
• Workshop threat hunting dans Microsoft Sentinel
• Détection d'abus de comptes de service
• Comment créer un homelab avec juste 2 VM et des outils gratuits
Sa philosophie: maîtrisez les concepts, la syntaxe s'apprend ensuite.
🎧 Web: https://polysecure.ca/posts/episode-0x673.html#db0bb2c2
🎧 Spotify: https://open.spotify.com/episode/1jBpkTICSTl60b2T2AMyPA?si=UjbrTZYQSFygVHm68VAWjw
🎧 YouTube: https://youtu.be/xooV2tQ4dy8
➡️ The above is from a Threat Brief: "Signed Malware, PowerShell Abuse, and Azure Exfiltration in Fake WinSCP Intrusion"
➡️➡️Interested in receiving reports like this one? Contact us for a demo or pricing - https://thedfirreport.com/contact/
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
📰 AI Threat Hunting Exposes 'GhostPenguin,' a Linux Backdoor Undetected for Months
AI-powered threat hunting uncovers 'GhostPenguin,' a C++ Linux backdoor that evaded AV detection for 4+ months. 🐧 The malware uses RC5-encrypted UDP over port 53 for stealthy C2. #Linux #Malware #ThreatHunting #AI #InfoSec
Zero Trust Security Model Explained: Is It Right for Your Organization?
1,135 words, 6 minutes read time.
When I first walked into a SOC that proudly claimed it had “implemented Zero Trust,” I expected to see a modern, frictionless security environment. What I found instead was a network still anchored to perimeter defenses, VPNs, and a false sense of invincibility. That’s the brutal truth about Zero Trust: it isn’t a single product or an off-the-shelf solution. It’s a philosophy, a mindset, a commitment to questioning every assumption about trust in your organization. For those of us in the trenches—SOC analysts, incident responders, and CISOs alike—the question isn’t whether Zero Trust is a buzzword. The real question is whether your organization has the discipline, visibility, and operational maturity to adopt it effectively.
Zero Trust starts with a principle that sounds simple but is often the hardest to implement: never trust, always verify. Every access request, every data transaction, and every network connection is treated as untrusted until explicitly validated. Identity is the new perimeter, and every user, device, and service must prove its legitimacy continuously. This approach is grounded in lessons learned from incidents like the SolarWinds supply chain compromise, where attackers leveraged trusted internal credentials to breach multiple organizations, or the Colonial Pipeline attack, which exploited a single VPN credential. In a Zero Trust environment, those scenarios would have been mitigated by enforcing strict access policies, continuous monitoring, and segmented network architecture. Zero Trust is less about walls and more about a web of checks and validations that constantly challenge assumptions about trust.
Identity and Access Management: The First Line of Defense
Identity and access management (IAM) is where Zero Trust begins its work, and it’s arguably the most important pillar for any organization. Multi-factor authentication, adaptive access controls, and strict adherence to least-privilege principles aren’t optional—they’re foundational. I’ve spent countless nights in incident response chasing lateral movement across networks where MFA was inconsistently applied, watching attackers move as if the organization had handed them the keys. Beyond authentication, modern IAM frameworks incorporate behavioral analytics to detect anomalies in real time, flagging suspicious logins, unusual access patterns, or attempts to elevate privileges. In practice, this means treating every login attempt as a potential threat, continuously evaluating risk, and denying implicit trust even to high-ranking executives. Identity management in Zero Trust isn’t just about logging in securely; it’s about embedding vigilance into the culture of your organization.
Implementing IAM effectively goes beyond deploying technology—it requires integrating identity controls with real operational processes. Automated workflows, incident triggers, and granular policy enforcement are all part of the ecosystem. I’ve advised organizations that initially underestimated the complexity of this pillar, only to discover months later that a single misconfigured policy left sensitive systems exposed. Zero Trust forces organizations to reimagine how users and machines interact with critical assets. It’s not convenient, and it’s certainly not fast, but it’s the difference between containing a breach at the door or chasing it across the network like a shadowy game of cat and mouse.
Device Security: Closing the Endpoint Gap
The next pillar, device security, is where Zero Trust really earns its reputation as a relentless defender. In a world where employees connect from laptops, mobile devices, and IoT sensors, every endpoint is a potential vector for compromise. I’ve seen attackers exploit a single unmanaged device to pivot through an entire network, bypassing perimeter defenses entirely. Zero Trust counters this by continuously evaluating device posture, enforcing compliance checks, and integrating endpoint detection and response (EDR) solutions into the access chain. A device that fails a health check is denied access, and its behavior is logged for forensic analysis.
Device security in a Zero Trust model isn’t just reactive—it’s proactive. Threat intelligence feeds, real-time monitoring, and automated responses allow organizations to identify compromised endpoints before they become a gateway for further exploitation. In my experience, organizations that ignore endpoint rigor often suffer from lateral movement and data exfiltration that could have been prevented. Zero Trust doesn’t assume that being inside the network makes a device safe; it enforces continuous verification and ensures that trust is earned and maintained at every stage. This approach dramatically reduces the likelihood of stealthy intrusions and gives security teams actionable intelligence to respond quickly.
Micro-Segmentation and Continuous Monitoring: Containing Threats Before They Spread
Finally, Zero Trust relies on micro-segmentation and continuous monitoring to limit the blast radius of any potential compromise. Networks can no longer be treated as monolithic entities where attackers move laterally with ease. By segmenting traffic into isolated zones and applying strict access policies between them, organizations create friction that slows or stops attackers in their tracks. I’ve seen environments where a single compromised credential could have spread malware across the network, but segmentation contained the incident to a single zone, giving the SOC time to respond without a full-scale outage.
Continuous monitoring complements segmentation by providing visibility into every action and transaction. Behavioral analytics, SIEM integration, and proactive threat hunting are essential for detecting anomalies that might indicate a breach. In practice, this means SOC teams aren’t just reacting to alerts—they’re anticipating threats, understanding patterns, and applying context-driven controls. Micro-segmentation and monitoring together transform Zero Trust from a static set of rules into a living, adaptive security posture. Organizations that master this pillar not only protect themselves from known threats but gain resilience against unknown attacks, effectively turning uncertainty into an operational advantage.
Conclusion: Zero Trust as a Philosophy, Not a Product
Zero Trust is not a checkbox, a software package, or a single deployment. It is a security philosophy that forces organizations to challenge assumptions, scrutinize trust, and adopt a mindset of continuous verification. Identity, devices, and network behavior form the pillars of this approach, each demanding diligence, integration, and cultural buy-in. For organizations willing to embrace these principles, the rewards are tangible: reduced attack surface, limited lateral movement, and a proactive, anticipatory security posture. For those unwilling or unprepared to change, claiming “Zero Trust” is little more than window dressing, a label that offers the illusion of safety while leaving vulnerabilities unchecked. The choice is stark: treat trust as a vulnerability and defend accordingly, or risk becoming the next cautionary tale in an increasingly hostile digital landscape.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
#accessManagement #adaptiveSecurity #attackSurfaceReduction #behavioralAnalytics #breachPrevention #byodSecurity #ciso #cloudSecurity #cloudFirstSecurity #colonialPipeline #complianceEnforcement #continuousMonitoring #cyberResilience #cybersecurityAwareness #cybersecurityCulture #cybersecurityReadiness #cybersecurityStrategy #deviceSecurity #digitalDefense #edr #endpointSecurity #enterpriseSecurity #iam #identityVerification #incidentResponse #internalThreats #iotSecurity #lateralMovement #leastPrivilege #mfa #microSegmentation #mitreAttck #multiFactorAuthentication #networkSecurity #networkSegmentation #networkVisibility #nistSp800207 #perimeterSecurity #privilegedAccessManagement #proactiveMonitoring #proactiveSecurity #ransomwarePrevention #riskManagement #secureAccess #securityAutomation #securityBestPractices2 #securityFramework #securityMindset #securityOperations #securityPhilosophy #siem #socAnalyst #solarwindsBreach #threatDetection #threatHunting #threatIntelligence #zeroTrust #zeroTrustArchitecture #zeroTrustImplementation #zeroTrustModel #zeroTrustSecurity
Zero Trust isn’t just a buzzword—it’s a security mindset that forces you to verify everything. Are you ready to defend your network like a pro? 🔐 #ZeroTrust #Cybersecurity #ThreatHunting
GreyNoise reports a coordinated wave of login attempts against Palo Alto GlobalProtect portals, later expanding into scans of SonicWall SonicOS API endpoints. More than 7,000 IPs tied to 3xK GmbH infrastructure were involved.
Palo Alto Networks confirmed the activity represents credential-based probing, not a vulnerability exploit.
Defenders are encouraged to enforce MFA, track recurring client fingerprints, and apply dynamic blocking.
How are you monitoring for reconnaissance patterns across VPN and firewall surfaces today?
Share your approach and follow us for more operational threat updates.
#infosec #PaloAltoNetworks #SonicWall #GlobalProtect #ThreatHunting #ThreatIntel #NetworkSecurity #VPNsecurity
Researchers have documented a remote-worker infiltration workflow linked to the Lazarus APT by observing operators live inside ANY.RUN sandboxed “developer laptops.”
The sessions revealed identity-driven tooling, AI-assisted interviews, Chrome profile syncing, OTP utilities, and remote desktop access - all without traditional malware deployment.
How should defenders adapt hiring-related threat models to account for identity takeover and remote access–driven APT tradecraft?
Source: https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
Follow us for more continuous threat-intel coverage.
#Infosec #CyberSecurity #ThreatIntel #APT #RemoteWork #IdentitySecurity #TechNadu #DigitalSafety #SecurityOps #ThreatHunting
I just improved some features and fixed some bugs in Cyberclip.
- JSON data extraction
- Command palette search speed
- Hidden par default the text-related actions, as they clutter the UI. They are still accessible through the command palette (Ctrl+P).
Take a look at the images and alt text for more context. Feel free to reach out if you have any questions.
Ransomware Is Evolving Faster Than Defenders Can Keep Up — Here’s How You Protect Yourself
1,505 words, 8 minutes read time.
By the time most people hear about a ransomware attack, the damage is already done—the emails have stopped flowing, the EDR is barely clinging to life, and the ransom note is blinking on some forgotten server in a noisy datacenter. From the outside, it looks like a sudden catastrophe. But after years in cybersecurity, watching ransomware shift from crude digital vandalism into a billion-dollar criminal industry, I can tell you this: nothing about modern ransomware is sudden. It’s patient. It’s calculated. And it’s evolving faster than most organizations can keep up.
That’s the story too few people in leadership—and even some new analysts—understand. We aren’t fighting the ransomware of five years ago. We’re fighting multilayered, human-operated, reconnaissance-intensive campaigns that look more like nation-state operations than smash-and-grab cybercrime. And unless we confront the reality of how ransomware has changed, we’ll be stuck defending ourselves against ghosts from the past while the real enemy is already in the building.
In this report-style analysis, I’m laying out the hard truth behind today’s ransomware landscape, breaking it into three major developments that are reshaping the battlefield. And more importantly, I’ll explain how you, the person reading this—whether you’re a SOC analyst drowning in alerts or a CISO stuck justifying budgets—can actually protect yourself.
Modern Ransomware Doesn’t Break In—It Walks In Through the Front Door
If there’s one misconception that keeps getting people burned, it’s the idea that ransomware “arrives” in the form of a malicious payload. That used to be true back when cybercriminals relied on spam campaigns and shady attachments. But those days are over. Today’s attackers don’t break in—they authenticate.
In almost every major ransomware attack I’ve investigated or read the forensic logs for, the initial access vector wasn’t a mysterious file. It was:
This shift is massive. It means ransomware groups don’t have to gamble on phishing. They can simply buy their way straight into enterprise networks the same way a burglar buys a master key.
And once they’re inside, the game really begins.
During an incident last year, I watched an attacker pivot from a contractor’s compromised VPN session into a privileged internal account in under an hour. They didn’t need to brute-force anything. They didn’t need malware. They just used legitimate tools: PowerShell, AD enumeration commands, and a flat network that offered no meaningful resistance.
This is why so many organizations think they’re doing enough. They’ve hardened their perimeter against yesterday’s tactics, but they’re wide open to today’s. Attackers aren’t battering the gates anymore—they’re flashing stolen IDs at the guard and strolling in.
Protection Strategy for Today’s Reality:
If your externally facing systems aren’t aggressively patched, monitored, and access-controlled, you are already compromised—you just don’t know the attacker’s timeline. Zero Trust isn’t a buzzword here; it’s the bare minimum architecture for surviving credential-driven intrusions. And phishing-resistant MFA (FIDO2, WebAuthn) is no longer optional. The attackers aren’t breaking locks—they’re using keys. Take the keys away.
Ransomware Has Become a Human-Operated APT—Not a Malware Event
Most news outlets still describe ransomware attacks as if they happen all at once: someone opens a file, everything locks up, and chaos ensues. But in reality, the encryption stage is just the final act in a very long play. Most organizations aren’t hit by ransomware—they’re prepared for ransomware over days or even weeks by operators who have already crawled through their systems like termites.
The modern ransomware lifecycle looks suspiciously like a well-executed red-team engagement:
Reconnaissance → Privilege Escalation → Lateral Movement → Backup Destruction → Data Exfiltration → Encryption
This isn’t hypothetical. It’s documented across the MITRE ATT&CK framework, CISA advisories, Mandiant reports, CrowdStrike intel, and pretty much every real-world IR case study you’ll ever read. And every step is performed by a human adversary—not just an automated bot.
I’ve seen attackers spend days mapping out domain trusts, hunting for legacy servers, testing which EDR agents were asleep at the wheel, and quietly exfiltrating gigabytes of data without tripping a single alarm. They don’t hurry, because there’s no reason to. Once they’re inside, they treat your network like a luxury hotel: explore, identify the vulnerabilities, settle in, and prepare for the big finale.
There’s also the evolution in extortion:
First there was simple encryption.
Then “double extortion”—encrypting AND stealing data.
Now some groups run “quadruple extortion,” which includes:
They weaponize fear, shame, and compliance.
And because attackers spend so long inside before triggering the payload, many organizations don’t even know a ransomware event has begun until minutes before impact. By then it’s too late.
Protection Strategy for Today’s Reality:
You cannot defend the endpoint alone. The malware is the final strike—what you must detect is the human activity leading up to it. That means investing in behavioral analytics, log correlation, and SOC processes that identify unusual privilege escalation, lateral movement, or data staging.
If your security operations program only alerts when malware is present, you’re fighting the last five minutes of a two-week attack.
Defenders Still Rely on Tools—But Ransomware Actors Rely on Skill
This is the part no vendor wants to admit, but every seasoned analyst knows: the cybersecurity industry keeps selling “platforms,” “dashboards,” and “single panes of glass,” while attackers keep relying on fundamentals—privilege escalation, credential theft, network misconfigurations, and human error.
In other words, attackers practice.
Defenders purchase.
And the mismatch shows.
A ransomware affiliate I studied earlier this year used nothing but legitimate Windows utilities and a few open-source tools you could download from GitHub. They didn’t trigger a single antivirus alert because they never needed to. Their skills carried the attack, not their toolset.
Meanwhile, many organizations I’ve worked with:
If you’re relying on a product to save you, you’re missing the reality that attackers aren’t fighting your tools—they’re fighting your people, your processes, and your architecture.
And they’re winning when your teams are burned out, understaffed, or operating with outdated assumptions about how ransomware works.
The solution starts with a mindset shift: you can’t outsource resilience. You can buy detection. You can buy visibility. But the ability to respond, recover, and refuse to be extorted—that’s something that has to be built, not bought.
Protection Strategy for Today’s Reality:
Focus on the fundamentals. Reduce attack surface. Prioritize privileged access management. Enforce segmentation that actually blocks lateral movement. Train your SOC like a team of threat hunters, not button-pushers. Validate your backups the way you’d validate a parachute. And for the love of operational sanity—practice your IR plan more than once a year.
Tools help you.
Architecture protects you.
People save you.
Attackers know this.
It’s time defenders embrace it too.
Conclusion: Ransomware Isn’t a Malware Problem—It’s a Strategy Problem
The biggest mistake anyone can make today is believing ransomware is just a piece of malicious software. It’s not. It’s an entire ecosystem—a criminal economy powered by stolen credentials, unpatched systems, lax monitoring, flat networks, and the false sense of security that comes from buying tools instead of maturing processes.
Ransomware isn’t evolving because the malware is getting smarter. It’s evolving because the attackers are.
And the only way to protect yourself is to accept the truth:
You can’t defend yesterday’s threats with yesterday’s assumptions. The ransomware gangs have adapted, industrialized, and professionalized. Now it’s our turn.
If you understand how ransomware really works, if you harden your environment against modern access vectors, if you detect human behavior instead of waiting for encryption, and if you treat security as a practiced discipline rather than a product—you can survive this. You can protect your organization. You can protect your career. You can protect yourself.
But you have to fight the enemy that exists today.
Not the one you remember from the past.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
#cisoStrategy #cloudSecurityRisk #credentialTheftAttacks #cyberDefenseFundamentals #cyberExtortion #cyberHygiene #cyberThreatIntelligence #cyberattackEscalation #cybercrimeTrends #cybersecurityLeadership #cybersecurityNewsAnalysis #cybersecurityResilience #dataExfiltration #digitalForensics #doubleExtortionRansomware #edrBestPractices #enterpriseSecurityStrategy #ethicalHackingInsights #humanOperatedRansomware #incidentResponse #lateralMovementDetection #malwareBehaviorAnalysis #mitreAttckRansomware #modernRansomwareTactics #networkSegmentation #nistCybersecurity #patchManagementStrategy #phishingResistantMfa2 #privilegedAccessManagement #ransomwareAttackVectors #ransomwareAwareness #ransomwareBreachImpact #ransomwareBreachResponse #ransomwareDefense #ransomwareDetectionMethods #ransomwareDwellTime #ransomwareEncryptionStage #ransomwareEvolution #ransomwareExtortionMethods #ransomwareIncidentRecovery #ransomwareIndustryTrends #ransomwareLifecycle #ransomwareMitigationGuide #ransomwareNegotiation #ransomwareOperatorTactics #ransomwarePrevention #ransomwareProtection #ransomwareReadiness #ransomwareReport #ransomwareSecurityPosture #ransomwareThreatLandscape #securityOperationsCenterWorkflows #socAnalystTips #socThreatDetection #supplyChainCyberRisk #threatHunting #vpnVulnerability #zeroTrustSecurity
November’s @THOR_Collective Dispatch Debrief is live with SCADA weirdness, Taylor’s Version SOC vibes, and purple team chaos.
Come thrunt with us.
https://dispatch.thorcollective.com/p/dispatch-debrief-november-2025
#threathunting #cybersecurity #thrunting #soc #blueteam #detectionengineering #incidentresponse #cyberdefense #aiinsecurity #agenticai #scada #otsecurity #purpleteam #grc #peakframework #THORcollective #dispatchdebrief
Our call for presentations is open for the upcoming Zeek workshop at CERN, Using Zeek in your security work? Built custom scripts or plugins? Analyzing protocols with Spicy? We want to hear about it.
Microsoft is bringing Sysmon natively into Windows 11 & Windows Server 2025 - installable via Optional Features and updated through Windows Update.
Custom configs, advanced filtering, and the familiar event set (proc creation, file creation, tampering, WMI, network activity) all remain.
Docs + new enterprise management features are coming next year.
What’s your take on native Sysmon for enterprise visibility?
#Sysmon #infosec #windows11 #microsoftsecurity #blueteam #cybersecurity #threathunting #endpointsecurity
ShadowRay 2.0 demonstrates how attackers are now leveraging AI-generated tooling to exploit exposed Ray clusters and create a globally distributed botnet.
Highlights:
• CVE-2023-48022 exploited across thousands of Ray servers
• LLM-generated scripts tailored to victim environments
• Region-aware updates via GitLab + GitHub
• Hidden GPU mining (A100 clusters)
• Competing cryptominers battling for compute
Thoughts on the broader implications for AI security?
Boost, reply, and follow @technadu for more deep-dive threat research.
#Infosec #CyberSecurity #ShadowRay #AIThreats #RayFramework #Botnet #ThreatHunting #CloudSecurity
https://winbuzzer.com/2025/11/18/microsoft-integrates-system-monitor-sysmon-into-windows-11-xcxwbn
Microsoft Integrates System Monitor (Sysmon) into Windows 11
#Windows11 #Sysmon #CyberSecurity #InfoSec #Microsoft #WindowsServer #Sysinternals #BlueTeam #ThreatHunting #EdgeAI #WindowsUpdate
Uncover the cyber wolves at the electric grid's door—ransomware, APTs, and more—plus ironclad defenses to keep the lights on. Essential read for grid guardians. 💡🛡️ #CyberSecurity #ElectricGrid #ThreatHunting
CISA has issued a 7-day patch directive for actively exploited Fortinet FortiWeb vulnerability CVE-2025-64446 (rated 9.1 critical).
Researchers have confirmed exploitation, and reports indicate a zero-day version was being sold on underground forums. Hundreds of vulnerable appliances are visible online.
Is this an example of a necessary emergency directive - or a sign that vendors need more transparent patch timelines?
💬 Share your thoughts.
👍 Follow us for more detailed, unbiased cybersecurity coverage.
#Infosec #CISA #Fortinet #CVE202564446 #ThreatHunting #VulnerabilityManagement #CybersecurityNews
🐈 Cat’s Got Your Files: Lynx Ransomware
🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉
Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more!
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/
#DFIR #ThreatIntel #IncidentResponse #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam
This is a great guide to hunt for employees connecting to IP-enabled KVM devices. Definitely taking these Crowdstrike queries and querying against our environment.
#ThreatHunting #ThreatIntel
https://blog.grumpygoose.io/be-kvm-do-fraud-8ab523d26c9d
Have you ever run the best hunt of your life and then forget how two weeks later?
Same.
Meet the PEAK Threat Hunting Template. Built to make your hunts repeatable, reviewable, and impossible to lose.
👉 Read on THOR Collective Dispatch - https://dispatch.thorcollective.com/p/the-peak-threat-hunting-template
#threathunting #cybersecurity #soc #dfir #blueteam #thrunting #thrunting #THORcollective
We recently learned a lot about how our community is using Zeek logs. See how they’re doing it: https://zeek.org/2025/11/5-ways-the-zeek-community-actually-uses-logs/
