- π Iβm a Security Researcher working in Cyber Threat Intelligence since 2019
- π BSc (Hons) Graduate of Computer and Information Security
- π Student of SANS FOR578 and earned the GIAC GCTI certification
- π Co-Author and Instructor of the SANS FOR589 Cybercrime Intelligence course
- π Read about my first year in CTI here
- β‘ Fun fact: I discovered OZH RAT and TitanStealer
- π΅οΈββοΈ I've contributed to the Mitre ATT&CK framework - TeamTNT & SEO Poisoning
- π I create my own Hacker Fiction stories (with a little help from AI) here
- π» Previously worked for Cyjax, read my Research Blogs here
- π Currently working at the Equinix Threat Analysis Center (ETAC)
- Open sources tools for CTI - Collection of resources for OSINT analysis
- Exploring APT campaigns - VirusTotal Graphs and Maltego Diagrams
- 2x Insider Threat-themed CTFs - OSINT challenges
- Malware Zoo- Hashes of famous malware
- Open Source Malware- Links to OSTs on GitHub
- OSINT Search Operators- Shodan Queries and Google Dorks
- CTI Lexicon- Acronyms and Technical Jargon
- CTI Quiz - 4 Topics of Multiple Practice Questions
- Abuse Legitimate Services - List of services used for malware and phishing
- Android Banking Trojan Nexus - Centralised list of Android banking malware families
- Breach Report Collection - Collection of breach reports for case studies
- Cybercrime Police Raids - Collection of raids on cybercriminals by police for case studies
- UK Critical Infrastructure - Collection of case reports of attacks on UK CNI for case studies
- OPSEC 101 - A guide to better security for non-technical family, friends, and colleagues
- YARA Rules - Repo of my various YARA Rules that can be used for Threat Research
- Python Projects - Repo of my various Python Scripts that can be used for CTI
- EternalLiberty - APT moniker database
- Curated Intel: Log4Shell IOCs - Vetted IOCs and analysis of threats leveraging Log4Shell
- Curated Intel: Ukraine Cyber Operations - Threat Intelligence to assist Ukrainian organisations
- Curated Intel: CTI Fundamentals - A collection of essential resources related to CTI theory
- Curated Intel: MOVEit Transfer Campaign Tracking - Tracking events related to the MOVEit campaign
- Curated Intel: Threat Actor Profile Guide - A guide for CTI analysts
| Conference | Talk Title | Recording URL | Slides |
|---|---|---|---|
| Undisclosed | Introduction to CTI Research | n/a | here |
| Undisclosed | Practical Adversary Intelligence | n/a | here |
| Undisclosed | History of the Russian Intelligence Services and Hacking Campaigns | n/a | here |
| conINT 2020 | Using Cyber Threat Intelligence to Defend against Ransomware | YouTube | here |
| BeerCon2 | Gone Phishin' / Attack of the phish (something something phishing) | YouTube | here |
| TMHC IsolationCon2 | Exploiting the Supply-Chain for Fun and Espionage | Website | here |
| DEFCON29 | Blue Team Village Panel: Threat Report Roulette | YouTube | n/a |
| BeerCon3 | Hacking-As-A-Service: Becoming An APT Is Easier Than Ever! | Website | here |
| NFCERT Annual Conference | Lessons from the Conti Leaks | n/a | here |
| BeerCon4 | Practical Vulnerability Intelligence | YouTube | here |
| BSides Cheltenham 2023 | They Can't Keep Getting Away With It: Analysis of ScatteredSpider/0ktapus campaigns | YouTube | here |
| BSides Basingstoke 2023 | CL0P Likes To MOVEit MOVEit | YouTube | here |
| HexCon23 | The Dynamic Duo: When Russian and Western Cybercriminals Combine | n/a | here |
| SANS CyberThreat23 | Practical Cybercrime Intelligence | n/a | here |
| Podcast | Topic(s) | URL |
|---|---|---|
| Risky Biz News | Critical vulnerability (CVE-2022-1388) in F5 BIG-IP (from 8m 20s) | risky.biz |
| Technical Outcast | Curated Intelligence on the Conti Playbook leaks (from 30m 30s) | spotify.com |
| Darknet Diaries #126 | REvil Ransomware | darknetdiaries.com |
| Click Here by Recorded Future News | Breach Forums Takedown | twitter.com/ClickHereShow |
| MyOSINT Training | Part of the "Careers Using OSINT Skills" series | YouTube |
| Infosecurity Magazine | Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners (from 16m 21s) | infosecurity-magazine.com |
| Intel471 Cybercrime Exposed | The Extortionists | intel471.com |
| SANS Wait Just An Infosec | In Hot Pursuit: Tracking Ransomware Actors (from 13m 00s) | linkedin.com |
| SANS Threat Analysis Rundown (STAR) | Disccusing Threats from Week 43 of 2023 | linkedin.com |
| SANS Wait Just An Infosec | Ransomware Kingpins LockBit Disrupted | YouTube |
- CISA.gov - Link to Curated Intel resource on Log4Shell
- HHS.gov - Malicious Use of Email Marketing Services
- HHS.gov - Abuse of Legitimate Security Tools and Health Sector Cybersecurity
- CERT Ukraine - APT28 (UAC-0028)
- CNN - LockBit attack on ICBC
- Reuters - ALPHV/BlackCat Exit Scam
- The Telegraph - Royal Mail SMS phishing campaigns
- The Telegraph - NB65 leverages Conti source code
- Vice Motherboard - Workers Unite
- TechCrunch - Israel/Hamas War Hacktivism
- WIRED - Israel/Hamas War Hacktivism
- π€ My Interview with TheSecurityNoob blog here
- 1οΈβ£ Top of the 'Top 10 CTI Experts & Intelligence Pioneers' in 2024 here
- π On the SOCRadar 'Top 10 Twitter Accounts to Follow for Threat Intelligence' in 2023 here
- π On the SentinelOne '23 Influential Accounts to Follow in 2023' here
- Microsoft 365 Defender Threat Intelligence Team - Franken-phish
- Microsoft 365 Defender Threat Intelligence Team - The Conti Leaks
- Maltego - How Do You Run a Cybercrime Gang?
- RISKIQ - Turkey Dog
- Rapid7 - REvil attack on Kaseya
- Splunk - REvil attack on Kaseya
- VirusTotal Blog - North Korean APT using the Amadey Trojan
- Proofpoint - Charting TA2541's Flight
- SentinelOne - Ransomware Decryption Intelligence
- CyberDefenders - L'espion OSINT CTF
- SANS Internet Storm Center - Qakbot
- SANS OSINT Summit - Discord for CTI
- Phishunt.io - Community
- Bleeping Computer - Hunters International, potential Hive rebrand
- Bleeping Computer - APT Targeting Renewable Energy
- Bleeping Computer - Basecamp
- Bleeping Computer - North Koreans Targeting Researchers
- Bleeping Computer - BazarCall
- Bleeping Computer - Monzo phishing
- Bleeping Computer - Brute Ratel Cracked
- Bleeping Computer - ESXi Linux version of Royal Ransomware
- Bleeping Computer - Coinbase SMS attacks
- Bleeping Computer - Dragos Security Incident
- The Record - IcedID spam campaign
- The Record - Passwordstate
- The Record - APT31
- The Record - Trickbot
- The Record - Phorpiex
- The Record - BlackMatter
- The Record - REvil affiliate
- The Record - Log4Shell
- CyberScoop - Belarus Cyber Partisans
- CyberScoop - Aviation RATs
- CyberScoop - Exposing Ransomware Operators
- CyberScoop - Breach Forums Takedown
- CyberScoop - Genesis Market Seized
- CyberScoop - UK Electoral Commission Breach
- CyberScoop - ALPHV/BlackCat Exit Scam
- Risky Biz News - The Continuity of Conti
- Risky Biz News - Darth Maul Market
- Risky Biz News - RedZei
- Risky Biz News - Raspberry Robin
- Risky Biz News - GreenMwizi
- Risky Biz News - The DaVinci Group
- Arstechnica - APT31
- PortSwigger - North Koreans APTs
- DarkReading - RedZei
- The Register - Conti attack on HSE
- The Register - CL0P campaigns against MFTs
- Infosecurity Magazine - LockBit Claims TSMC Hack
- Infosecurity Magazine - UK Electoral Commission Breach
- Infosecurity Magazine - iSOON Leaks
- The Hacker News - TitanStealer
- The Hacker News - RedZei
- Security Affairs - Brute Ratel Cracked
- Security Affairs - CL0P claims ICS vendors
- SecurityWeek - APT campaign targeting EMEA and APAC governments
- SecurityWeek - ICS Vendors Targeted in Espionage Campaign Focusing on Renewable Energy
- Bank Info Security - iSOON Leak