Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Attributive Questions in High Profile Incidents

On 30 January 2026, CERT.PL published findings concerning an electric sector attack on Poland in December 2025. This report, presumably the most complete on the incident covering multiple sources and coming from those directly responding to the total incident, arrived after earlier reporting from commercial organizations on elements of the same event, as well as social media speculation. While a more complete and accurate view of events from late December 2025 has now emerged, the Read more

By Joe, ago

Intelligence Poverty and the Commercial Data Economy

A core part of my teaching at Paralus is guiding attendees towards mechanisms of fusing internal telemetry and understanding with external data sources and feeds to arrive at a more robust understanding of threat actor operations and behaviors. This perspective is reflected in my work on intelligence production and development as well, such as my work on intelligence “pivoting” and looking at technical indicators as “composite objects.” Historically, for many organizations the primary obstacle to Read more

By Joe, ago

The Beginning and Ending of Threat Actors

In July 2025, NSA officials at a conference in New York City made a surprising claim: “The good news is, [Volt Typhoon] really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign.” The remarks, which came with a headline of “Volt Typhoon was ‘not successful’ at persisting in critical Read more

By Joe, ago

Will the Real Salt Typhoon Please Stand Up?

On 17 July 2025, Bloomberg (no stranger to interesting information security reporting) issued a gated report on a non–public Recorded Future item related to Salt Typhoon activity. As previously noted in this space, Salt Typhoon operations are both incredibly significant given their targeting and scope, while also poorly understood and documented given the paucity of detailed public information on their operations. The Recorded Future report (or at least subsequent Bloomberg reporting on this report) would Read more

By Joe, ago

The Intellectual Dishonesty and Moral Poverty of “Shields Up”

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) launched a campaign roughly aligned with Russia’s horrific invasion of Ukraine in 2022 called “Shields Up.” At its core, “Shields Up” was designed as a set of relatively straightforward security best practices to prepare for expected increases in threat actor operations. Since its inception, the phrase has metastasized to cover all manner of persistent and perceived immediate cyber issues, from the ongoing ransomware epidemic to possible Read more

By Joe, ago

Attribution With A Pinch of Salt (Typhoon)

Salt Typhoon first emerged in the public consciousness with media reporting in late 2024. The previously unknown (or overlooked) threat actor was quickly linked to widespread intrusions in major US-based telecommunications companies, and targeting of both specific systems used to enable lawful intercept operations as well as the communications of high profile individuals. Subsequent reporting indicated the group may not be limited to US operations, with unnamed officials indicating that multiple additional countries may also Read more

By Joe, ago

The Normalization of the Unacceptable

On 04 June 2024, multiple hospitals in London declared a “critical incident” following a ransomware incident targeting a pathology services company called Synnovis. The incident resulted in multiple medical practices, including major hospitals, being unable to perform tasks such as blood transfusions or rapid testing of blood samples. Cascading impacts of this outage included cancelled surgeries and procedures, along with redirection of patients to other facilities. As analyzed previously, the increase in friction and time to care for Read more

By Joe, ago

The CTI Mindset & The CTI Function

I recently came across a job posting for a cyber threat intelligence (CTI) analyst position. Given recent issues in the CTI marketplace with many individuals finding themselves in need of new roles, this at first glance appeared an excellent opportunity to pass on to those looking for work. However, with further scrutiny, the role appeared to be quite curious – a reasonably well compensated position for a critical infrastructure entity with fewer than 500 employees Read more

By Joe, ago

Attaining Focus: Evaluating Vulnerabilities In The Current Threat Environment

Information security space observers may have encountered a phrase born out of both frustration and levity in 2023: “Hot Zero Day Summer.” While nearly two months remain as of this writing for Summer 2023, anecdotal evidence suggests that adversaries increasingly leverage vulnerabilities in external-facing applications and appliances to drive intrusions. Certainly, other intrusion vectors remain relevant and popular, such as phishing and related activities. But the list of vulnerable applications and services leading to widespread breaches, whether Read more

By Joe, ago

What Have We Learned?

Background Almost a year ago as of this writing, the Russian state initiated a new and astoundingly brutal campaign against Ukraine. While Russia had effectively been at war with Ukraine since not long after the Revolution of Dignity, late February 2022 initiated a far wider, nastier, and inhumane phase of this long-running conflict. During most of the period between 2014 and 2022, outside of low-level (but still nasty) conflict in Donetsk and Luhansk, much of Read more

By Joe, ago