• The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. 
• The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement. 
• CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts. 

Overview 

The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery. 

Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve. 

Despite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed  Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve. 

Details 

The CTI-CMM lists 11 domains where CTI can greatly improve decision-making,  and also details specific “missions” CTI can carry out to strengthen each domain. 

The missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities. 

The CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path: 

The framework espouses an improvement process analogous to the “plan, do, check, act” management model. In this case, the steps within a cycle of improvement are “prepare, assess, plan, deploy, measure.” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program. 

History of CTI-CMM 

This approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense’s desire to compare and evaluate software contractors. Largely thanks to the efforts of the Software Engineering Institute (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied Capability Maturity Model Integration (CMMI). 

The CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s. 

Closing 

It’s crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce “better” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering “good enough” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information. 

Ultimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.

Cisco Talos Blog – ​Read More

ANY.RUN’s Threat Intelligence Feeds are designed to power SOAR, SIEM, EDR/XDR, TIP, and other security systems. Our goal is simple: to fit naturally into a customer’s security ecosystem so analysts can investigate incidents faster, improve detection quality, and spend less time on repetitive tasks. 

Now, IBM QRadar SIEM users can directly consolidate ANY.RUN’s Threat Intelligence Feeds to strengthen detection and triage capabilities — all from a single console. 

IBM Qradar and TI Feeds Connector Effects: Visible on Metrics 

IBM QRadar SIEM is a leading Security Information and Event Management solution that centralizes visibility across IT infrastructure, enables real-time threat detection through log and flow analysis, and incorporates advanced analytics like AI and user behavior monitoring.  

The integration with TI Feeds helps teams using QRadar SIEM boost their security with high-quality threat intelligence. They deliver malicious IPs, domains, URLs extracted from live sandbox analyses of the latest threats hitting 15,000+ organizations worldwide. Unlike post-incident reports that lag behind, our feeds update in real time sending active attack indicators straight to clients. 

• Expanded Threat Coverage 

Automatically correlate logs and events with the latest IOCs to spot the latest threats, reduce mean time to detect/respond (MTTD/MTTR), and lower analyst burnout. 

• Faster Response 

ANY.RUN provides more than indicators — our data includes sandbox reports that provide actionable behavioral context (IOCs, IOBs, IOAs), helping SOC teams understand how threats operate. 

• Early Threat Detection 

Identify threats earlier in the kill chain to stop and mitigate attacks before they impact business operations  

• Enhanced Team Productivity 

Automated correlation reduces manual research time, allowing analysts to focus on investigation and response rather than IOC verification and threat hunting. 

• Measurable ROI 

Faster threat detection translates directly to reduced potential damage from security incidents, while improved analyst efficiency lowers operational costs. 

API, SDK, and STIX/TAXII formats are supported to seamlessly bring the feeds into your existing architecture. No redesigning workflows, no extra costs.  

Benefits for Security Teams 

For SOC level 1-2 analysts, the IBM-ANY.RUN connection fuels: 

• Automated Threat Detection: When network logs or infrastructure data collected by QRadar match ANY.RUN’s IOCs, correlation rules automatically generate high-priority alerts. This eliminates manual IOC checking and accelerates initial triage. 

• Contextual Investigation: ANY.RUN’s approach to extracting IOCs directly from malware configurations and network traffic provides organizations with indicators that might not be detected through other means, giving analysts deeper insight into threat behavior and campaign attribution. 

• Reduced Alert Fatigue: With nearly 100% malicious indicators, analysts can trust that ANY.RUN-sourced alerts represent genuine threats requiring immediate attention, improving focus and reducing investigation overhead. 

Implementation: How to Connect TI Feeds to IBM QRadar SIEM 

The ANY.RUN TI Feeds application is available through the IBM X-Force App Exchange marketplace, ensuring compatibility and support within IBM’s security ecosystem. 

Deployment: 

• Download the ANY.RUN TI application from IBM X-Force App Exchange 

• Install within your existing QRadar SIEM environment 

• Configure correlation rules to leverage ANY.RUN IOCs 

• Begin receiving automated threat alerts based on fresh malware analysis data 

Requirements: 

• Valid ANY.RUN Threat Intelligence Feeds subscription (trial access available) 

• IBM QRadar SIEM environment with X-Force App Exchange access 

• Network connectivity for real-time feed consumption.  

Use Case Scenario: Automated Threat Detection 

Consider a typical enterprise environment where network traffic and infrastructure logs flow into IBM QRadar SIEM. When the ANY.RUN TI Feeds connection is active: 

• Data Collection: QRadar continues normal log collection from network devices, endpoints, and security tools 

• Automated Correlation: QRadar correlation rules automatically cross-reference network artifacts against ANY.RUN’s real-time IOC feeds 

• Alert Generation: When a match occurs, QRadar generates a high-priority alert with contextual information from ANY.RUN’s malware analysis 

• Analyst Investigation: SOC analysts receive alerts with pre-populated threat context, enabling immediate assessment and response 

This workflow turns reactive threat hunting into proactive threat detection, with verified threats automatically surfaced for investigation, near-zero false positives, and faster investigation and triage. 

Start Transforming Your Security Operations 

By combining QRadar’s proven correlation and alerting capabilities with ANY.RUN’s real-time, high-fidelity threat intelligence, organizations can achieve: 

• Immediate Threat Detection: Hours instead of days or weeks for emerging threat identification 

• Operational Efficiency: Reduced analyst workload through automated, high-confidence alerting 

• Strategic Security Advantage: Access to threat intelligence from a global community of security professionals 

• Seamless Connection: No disruption to existing security processes or infrastructure 

The ANY.RUN TI application is available now through the IBM X-Force App Exchange for organizations with active ANY.RUN Threat Intelligence Feeds subscriptions. 

About ANY.RUN 

ANY.RUN is trusted by more than 500,000 cybersecurity professionals and 15,000+ organizations across finance, healthcare, manufacturing, and other critical industries. Our platform helps security teams investigate threats faster and with more clarity.  

Speed up incident response with our Interactive Sandbox: analyze suspicious files in real time, observe behavior as it unfolds, and make faster, more informed decisions.  

Strengthen detection with Threat Intelligence Lookup and TI Feeds: give your team the context they need to stay ahead of today’s most advanced threats.   

Want to see it in action? Start your 14-day trial of ANY.RUN today → 

The post ANY.RYN x IBM QRadar SIEM: Real-Time Intelligence for Wider Threat Coverage  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents.
• Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert).
• We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps.
• Aggregation of this data and the follow-on analysis is intended to provide actionable guidance that can assist organizations in improving their defenses against ransomware activity. 

What characterizes an incident as “pre-ransomware?”  

Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.” 

It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.

Key security actions and measures that deter ransomware deployment 

Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.

Swift engagement of Talos IR 

Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as: 

• Extensive knowledge of the threat landscape: In multiple engagements, Talos IR was able to correlate TTPs and IOCs on customers’ networks with other ransomware and pre-ransomware engagements we had responded to, identifying when the infection was part of a larger, widespread campaign. This insight helped Talos IR anticipate and intercept adversaries’ next steps as well as provide customers additional IOCs to block that were seen in other engagements.
• Actionable recommendations for isolation and remediation: In some engagements, the customers quickly acted on Talos’ pre-ransomware security guide, which Talos IR assessed prevented more catastrophic events.
• Enhanced monitoring: The Cisco Extended Detection and Response (Cisco XDR) team can provide extra vigilance in their monitoring after containment of the pre-ransomware threat to ensure full eradication.

We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.

EDR/MDR alert prompted security teams’ rapid containment 

Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:

• Attempted connections to blocked domains  
• Brute force activity  
• PowerShell download cradle  
• Deviations from expected baseline activity as determined by the organization 
• Newly created domain administrator accounts  
• Successful connections to an unknown, outside public IP addresses  
• Reconnaissance activity, including shell access and user discovery commands such as whoami
• Modification of multi-factor authentication (MFA) tooling to provide bypass tokens 
• Modification of an account to be exempt from MFA requirements

USG and/or other partners notified on ransomware staging 

In almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.

Security solutions configured to block and quarantine malicious activity  

In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.  

Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance. 

Robust security restrictions prevented access to key resources  

Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.   

Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.

Most observed pre-ransomware indicators 

Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.

We dove deeper into some of the top attack techniques and found the following:  

• Remote Services: Talos IR frequently saw remote services such as RDP, PsExec and PowerShell leveraged by adversaries.  
• Remote Access Software: Frequently seen remote access software included AnyDesk, Atera, Microsoft Quick Assist and Splashtop.  
• OS Credential Dumping: Top observed credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT. Mimikatz was also frequently used. 
• Network Service Discovery: Top observed tools and commands used for network service discovery included netscan, nltest and netview.

The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.

Observed security gaps and prevalent Talos IR recommendations 

Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:  

1. Bring all operating systems and software patching up to date.
2. Store backups offline.
3. Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software.
4. Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse.
5. Deploy Sysmon for enhanced endpoint visibility and logging.
6. Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols from being able to be used by adversaries as part of their C2 or data exfiltration actions.
7. Implement robust network segmentation to minimize lateral movement and reduce the attack surface, ensuring valuable assets such as domain controllers do not connect directly to the internet aside from critical functions.
8. Establish or intensify end-user cybersecurity training on social engineering tactics, including coverage of recently popularized attacks such as MFA fatigue attacks and actor-in-the-middle token phishing attacks.

Cisco Talos Blog – ​Read More

The internet is now a second home for most kids and teens. Many get their first device in elementary or middle school, while modern education basically runs on technology. Cybercriminals know this, and they can trick kids into revealing personal details, send harmful links, lure them into unsafe chats, or even drain their parents’ bank accounts.

That’s why cybersecurity needs to become a part of everyday life at home. Our guide to reducing your kids’ digital footprint will give you a firm grasp of the risks, and create a safe online environment — while avoiding blanket bans or grudging grievances.

What to watch out for

First, let’s identify the digital “hot spots” where your attention as a parent matters most:

• Group chats for schools or universities on unsecured messaging apps
• Voice chats in video games
• Oversharing on social platforms
• Searching on the web and across global social networks
• Using AI tools and generating content safely
• General safe-use practices for devices and public networks

The best way to protect your kids isn’t through strict controls — it’s through honest conversation. Sure, you can block websites, introduce a phone curfew, and hover over your child every time they use Gemini. But this risks losing their trust: you could end up looking like a villain standing in the way of their freedom. Heavy-handed restrictions always invite attempts to get around them. It’s far better to build understanding, and explaining why the rules exist in the first place.

Here are some practical steps to help your child stay out of trouble and keep their digital footprint under control.

Watch what you post

For Gen Z and Gen Alpha, sharing life online is second nature. But oversharing — being too open online — often opens the door to hacking and even offline risks.

Remind your child never to share their last name, date of birth, school name, or city when signing up for services. Explain the risk: attackers could use that data to find them and build false trust — for example, greeting them by name and posing as a classmate’s relative.

Turn off geolocation in posts and stories by default. If a post needs a location, only publish it after your child has left that place.

Also be careful with places your child visits regularly, and avoid sharing travel plans. The “gold standard” is to teach your child to remove geotags from photos they upload. Why this matters — and how to do it — we covered in our post Metadata: Uncovering what’s hidden inside.

Another taboo is sharing personal info — and in some cases even school uniforms. If the school has a distinctive look, photos or videos of clothing (whether sports or regular) can still give away too much.

Reinforce the first rule of the internet: what goes online, stays online. Everything they post can have consequences — from damaged reputations to data in scammers’ hands. If your child simply wants to share their experiences, suggest starting a blog. We cover how to do this safely here: How to help your kid become a blogger without ever worrying about their safety.

Be careful with the links you click

You probably know what phishing is — but your child may not. Explain that any links they get sent need scanning by a reliable anti-phishing tool for smartphones and computers.

Too-good-to-be-true offers, surprise prizes, and other “incredible deals” should always raise suspicion — and be shown to you before following the link. We’ve covered phishing schemes in detail, for example, in our post How scammers attack young gamers; use the examples there to show your child what can happen if links aren’t checked.

Be careful with who you play with online

Caught up in a multiplayer game with voice chat, teens may let their tongues run wild. The gaming world has become a prime space for grooming — when adults build trust with teens for harmful purposes. So set a clear boundary with your child: voice chat should stick to gameplay only. If someone tries to steer things into personal topics, it’s safer to end the conversation — and if they persist, block them.

Avoid public Wi-Fi

Explain that using public Wi-Fi networks is inherently unsafe: attackers can easily intercept logins, passwords, messages, and other sensitive data. Whenever possible, it’s best to stick to mobile data. If connecting to unsecured Wi-Fi is the only way to stay online, protect the connection with a trusted VPN service. That way your child’s data won’t leak.

Watch what you download

Android smartphones are tempting targets for scammers of all stripes. Although malicious apps exist for iPhones too, it’s still easier to sneak onto Android. Teach your child that malicious files can take many forms. They may arrive through messengers or email disguised as photos or documents — even forwarded “homework assignments” — and can also hide behind links in their favorite Discord channels. By default, all attachments should be treated with caution and scanned automatically with a reliable antivirus.

Use AI wisely — and think for yourself

Unsupervised chatbot use isn’t just an ethical or psychological issue — it’s a security risk. Recently, Google indexed tens of thousands of ChatGPT conversations, making them accessible internet-wide.

Explain to your child not to treat AI as a best friend for pouring out their soul. AI tools often collect large amounts of personal data — everything your child types, asks, or uploads in the chat. Make it clear they also shouldn’t share real names, school information, photos, or private details with AI.

And emphasize that chatbots are tools and helpers — not “wizards” that can think for them. Explain that AI can’t think, so any “facts” offered must be double-checked.

Help with content filters and parental controls

Start by enabling parental controls on all devices your child uses: smartphones, tablets, computers — even smart TVs. Most operating systems offer built-in features to block explicit websites, restrict certain apps, and filter search results.

On streaming platforms, enable “Restricted” or “Kids” mode to prevent access to adult content. For more fine-tuned control, your best option is Kaspersky Safe Kids, which filters content in real time, allows you to set screen-time limits, and monitors installed apps. It detects and blocks unwanted content that standard filters might miss — especially in browsers — and even shows your child’s physical location and phone battery level.

Watch and discuss together

The most effective filter isn’t a program — it’s you. Make time to watch shows, surf the web, and play games together with your child. This will help you understand what’s going on in their life and create a space to discuss values, feelings, and real-life situations.

To further minimize your child’s digital footprint and reduce the risks of cyberattacks and cyberbullying, use:

• Unique passwords and a handy tool to manage them.
• A digital ecosystem to protect your entire family built on Kaspersky Premium.
• A full-featured parental control suite — Kaspersky Safe Kids. Speaking of which, a free one-year subscription to Kaspersky Safe Kids is included with Kaspersky Premium.

For more advice on keeping your kids safe online, explore our Digital Schoolbag: A Parent’s Guide for the School Year.

Further reading on threats targeting children and teens online:

• The Phantom Menace: how gamers of different ages are being attacked
• Back to School Security Tips
• Back-to-school threats: social networking
• How to help your kid become a blogger without ever worrying about their safety
• Do Apple’s new child safety initiatives do the job?

Kaspersky official blog – ​Read More