JP Moco

Mapping Adversary Infrastructure with Passive DNS and Certificate Transparency

Tue, 18 Feb 2025 00:00:00 +0000

One domain. That’s often all you start with. A single indicator pulled from a phishing email, a SIEM alert, or a malware sandbox report. The question is: what can you build from it?

This post covers my methodology for expanding a single IOC into a full infrastructure map using passive DNS and certificate transparency logs — both freely available.

Why Infrastructure Mapping Matters

Hunting on individual IOCs is a losing game. By the time an IP or domain appears in a threat feed, the actor has likely rotated it. Infrastructure mapping lets you:

APT Attribution: How We Identify Threat Actors Without Being Wrong

Fri, 10 Jan 2025 00:00:00 +0000

TLP:AMBER This post is part of the CTI Methodology series.

Attribution is one of the most misunderstood concepts in cyber threat intelligence. Every breach triggers the same question: who did this? And yet, jumping to attribution without rigorous methodology is how analysts get burned — and how organizations make bad strategic decisions.

This post walks through the framework I use to build confident, defensible attribution assessments.

Why Attribution Is Hard

The fundamental problem is asymmetry. Defenders need to be right. Attackers only need to be plausible. A sophisticated actor can:

About

Mon, 01 Jan 0001 00:00:00 +0000

As a Cyber Threat Intelligence Analyst, I dedicate my operations to the proactive identification and in-depth analysis of cyber threats. My approach combines advanced OSINT techniques with malware behavioral analysis to anticipate adversary TTPs before they materialize into incidents.

“In the digital age, intelligence is not just about collecting data — it’s about understanding the adversary.”

I don’t just report on threats; I contextualize them. By understanding the who, why, and how, I enable organizations to move from reactive defense to proactive security posture.

Search

Mon, 01 Jan 0001 00:00:00 +0000