Skill UI

A comprehensive, step-by-step guide for security professionals to perform deep-dive malware analysis. It covers methodologies for static analysis (disassemblers, imports), dynamic execution (sandboxing, monitoring), identifying Indicators of Compromise (IOCs), and structuring professional threat reports. Essential for incident response and threat intelligence.

This skill analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework. It identifies which attack phases an adversary has completed, points where defenses failed or succeeded, and recommends controls to disrupt the attack at earlier stages. It is essential for post-incident analysis, threat intelligence reporting, and designing robust defense-in-depth strategies.

A comprehensive system for systematically collecting, categorizing, and enriching Indicators of Compromise (IOCs) from various sources (network logs, memory dumps, email, etc.). It supports the entire incident response lifecycle, ensuring structured data representation using STIX/TAXII formats for robust threat intelligence sharing and defensive system automation.

This skill provides comprehensive methods for collecting and synthesizing Open-Source Intelligence (OSINT) regarding threat actors, malicious infrastructure, and attack campaigns. It utilizes public data sources, passive reconnaissance tools (like WHOIS, Certificate Transparency), and specialized platforms (Maltego, Shodan, SpiderFoot) to map adversary context and perform pre-engagement intelligence gathering for authorized red team assessments. Emphasis is placed on passive collection techniques to ensure legality and operational security.

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

This skill guides the comprehensive evaluation and selection of Threat Intelligence Platforms (TIPs). It assesses vendor capabilities, including STIX/TAXII support, workflow automation, SIEM/SOAR integration, and total cost of ownership. It is essential for procurement decisions, migrating between TIP solutions, or assessing whether the current CTI program meets required maturity levels.

This skill provides a comprehensive workflow to extract Indicators of Compromise (IOCs) from malware samples and analysis reports. It covers file hashes (SHA256, MD5), network artifacts (IPs, domains, URLs from strings and PCAPs), and host-based indicators (registry keys, file paths, mutexes) from sandbox reports. It is essential for threat intelligence sharing, building blocklists, and creating detection signatures (YARA, Snort).

A comprehensive guide for deploying and managing network deception systems using industry-leading honeypot platforms like OpenCanary, T-Pot, and Cowrie. This skill helps security professionals detect unauthorized access attempts, trace lateral movement, and gather critical threat intelligence by simulating vulnerable services within a controlled environment. Ideal for enhancing network security architecture and creating early warning indicators for intrusions.

A comprehensive guide to deploying and configuring Proofpoint Email Protection as a Secure Email Gateway (SEG). This solution establishes a critical security checkpoint that uses advanced ML, sandboxing, and threat intelligence to detect and block sophisticated threats, including phishing, malware, BEC, and spam, before they reach the user inbox. Ideal for organizations strengthening their email security architecture and meeting compliance standards.

This skill guides the deployment and configuration of a TAXII 2.1 server using OpenTAXII. It enables automated, standardized exchange of STIX-formatted cyber threat intelligence (CTI) indicators between organizations. Use cases include establishing secure threat sharing pipelines, integrating with SIEM/SOAR platforms, and meeting stringent compliance requirements.

This guide details how to implement NextDNS as a zero-trust DNS filtering layer. By utilizing encrypted resolution (DoH/DoT) and real-time threat intelligence, it blocks malicious domains, prevents data exfiltration, filters ads/trackers, and enforces granular security policies across all endpoints, aligning with Zero Trust principles and enhancing overall network security.

This guide provides a systematic, step-by-step workflow for Security Operations Center (SOC) analysts to perform alert triage using Elastic Security SIEM. It covers initial alert assessment, context gathering using advanced ES|QL queries, threat intelligence enrichment, and final classification decisions (True Positive, False Positive, etc.) to rapidly determine genuine security threats and prioritize incident response actions.