Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Predatory Sparrow, Out In The Cold?

“Predatory Sparrow” first emerged as a self-proclaimed hacktivist group in 2021 with pro-Israel intentions and operations focused on disruptive activity targeting Iranian entities and interests, although there a potential signs of even earlier operations against Syria. Of note, whereas most hacktivist entities or personas exhibit far more “bluster” than actual impact, Predatory Sparrow is responsible for notable incidents in Iran through 2025. Combined with veiled statements, curious responses, and leaks from US and Israeli sources, Read more

By Joe, ago

A Brief Critique of Practical Threat Intelligence

“Intelligence” is an overloaded concept in that the term may refer to a variety of items, actions, and deliverables. Attempts to define intelligence have existed for decades, and for a seemingly direct concept lead to extended discussion. As such, relatively new variations of this concept, such as “cyber threat intelligence” (CTI), are even fuzzier in nature and definition. Attempting to search for a universally recognized and accepted definition of CTI is an interesting game as Read more

By Joe, ago

Myth & Mythos: Where Do We Go From Here?

Computer science and particularly information security stories can occasionally “color” more general discourse, such as rampant speculation of cyber components of recent conflicts. But rarely do highly technical items reach true “escape velocity” to inundate popular media. The past few days have observed just this phenomenon with Anthropic’s announcement of its latest general-purpose language model, Mythos. Notably, the model was not released to the general public as it was effectively deemed “too dangerous” for public Read more

By Joe, ago

Attributive Questions in High Profile Incidents

On 30 January 2026, CERT.PL published findings concerning an electric sector attack on Poland in December 2025. This report, presumably the most complete on the incident covering multiple sources and coming from those directly responding to the total incident, arrived after earlier reporting from commercial organizations on elements of the same event, as well as social media speculation. While a more complete and accurate view of events from late December 2025 has now emerged, the Read more

By Joe, ago

Intelligence Poverty and the Commercial Data Economy

A core part of my teaching at Paralus is guiding attendees towards mechanisms of fusing internal telemetry and understanding with external data sources and feeds to arrive at a more robust understanding of threat actor operations and behaviors. This perspective is reflected in my work on intelligence production and development as well, such as my work on intelligence “pivoting” and looking at technical indicators as “composite objects.” Historically, for many organizations the primary obstacle to Read more

By Joe, ago

The Beginning and Ending of Threat Actors

In July 2025, NSA officials at a conference in New York City made a surprising claim: “The good news is, [Volt Typhoon] really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign.” The remarks, which came with a headline of “Volt Typhoon was ‘not successful’ at persisting in critical Read more

By Joe, ago

Will the Real Salt Typhoon Please Stand Up?

On 17 July 2025, Bloomberg (no stranger to interesting information security reporting) issued a gated report on a non–public Recorded Future item related to Salt Typhoon activity. As previously noted in this space, Salt Typhoon operations are both incredibly significant given their targeting and scope, while also poorly understood and documented given the paucity of detailed public information on their operations. The Recorded Future report (or at least subsequent Bloomberg reporting on this report) would Read more

By Joe, ago

The Intellectual Dishonesty and Moral Poverty of “Shields Up”

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) launched a campaign roughly aligned with Russia’s horrific invasion of Ukraine in 2022 called “Shields Up.” At its core, “Shields Up” was designed as a set of relatively straightforward security best practices to prepare for expected increases in threat actor operations. Since its inception, the phrase has metastasized to cover all manner of persistent and perceived immediate cyber issues, from the ongoing ransomware epidemic to possible Read more

By Joe, ago

Attribution With A Pinch of Salt (Typhoon)

Salt Typhoon first emerged in the public consciousness with media reporting in late 2024. The previously unknown (or overlooked) threat actor was quickly linked to widespread intrusions in major US-based telecommunications companies, and targeting of both specific systems used to enable lawful intercept operations as well as the communications of high profile individuals. Subsequent reporting indicated the group may not be limited to US operations, with unnamed officials indicating that multiple additional countries may also Read more

By Joe, ago

The Normalization of the Unacceptable

On 04 June 2024, multiple hospitals in London declared a “critical incident” following a ransomware incident targeting a pathology services company called Synnovis. The incident resulted in multiple medical practices, including major hospitals, being unable to perform tasks such as blood transfusions or rapid testing of blood samples. Cascading impacts of this outage included cancelled surgeries and procedures, along with redirection of patients to other facilities. As analyzed previously, the increase in friction and time to care for Read more

By Joe, ago