Mastodawn

New on the FIRST blog: Jonathan Andersen, CEO and Co-Founder of Webscout and #FIRSTCTI26 speaker, on why residential proxy networks have become one of the internet's most consequential threat enablers, and why no single organization can see the full picture.

When Kimwolf emerged in late 2025, it infected 2 million+ devices, mostly off-brand Android TV boxes sold openly on retail platforms with proxy SDKs already installed at the factory.

The supply chain had done the work for the operators.

The structural problem isn't the botnet. It's the residential proxy layer itself, embedded across critical networks before most defenders were looking for it.

🏠 Residential proxies route traffic through real ISP-assigned IPs. Reputation and geolocation defenses largely fail.
📦 SDK-based provisioning embeds proxy code in free apps. Users consent in EULA fine print. 🏭 Hardware supply chain compromise pre-loads devices before they ever reach a buyer.
⚡Active exploitation, like Kimwolf, turns proxy endpoints into footholds inside local networks.

What the data shows:

🔍 Infoblox: nearly 1 in 4 enterprise customers had at least one device querying Kimwolf-related domains.
🏛️ Spur: proxy endpoints inside ~300 government networks, 318 utilities, 166 healthcare orgs, and 141 banks.
🌐 Google GTIG: 550+ distinct threat groups using IPIDEA exit nodes in a single 7-day period in January 2026, including actors linked to China, North Korea, Iran, and Russia.

Jonathan highlights that countering these networks requires telemetry, forensics, and intelligence no single organization has alone. Webscout is building a vetted trust group for researchers and seeking ISP partners willing to host research nodes.

Inter-AS coordination challenges like these also sit squarely within the focus areas of FIRST's NETSEC SIG, which convenes network operators and researchers around exactly this kind of work.

📖 Read more: https://go.first.org/mfx3c

#CTI #cybersecurity #infosec

The Infrastructure Nobody Owns: (Residential) Proxy Networks and the Case for Collective Visibility

FIRST — Forum of Incident Response and Security Teams

Joe Słowik Apr 25

If you missed my #FIRSTCTI26 presentation on evaluating #CTI & threat intel at speed, a related blog is now available for review of the same concepts and argument:
https://www.dataminr.com/resources/blog/orienting-intelligence-for-real-time-alerting-response/

Orienting Intelligence for Real-Time Alerting & Response - Dataminr

Intelligence, particularly CTI, struggles with the trade-off between rapid alerting (timeliness) and context/detail (accuracy). Actionable intelligence needs both. AI offers a path to overcome this by augmenting enrichment and analysis for quicker, contextualized real-time threat response.

Dataminr

13reak

Apr 23

Cool to meet some Mastodon peeps on #FirstCTI26

For everyone who couldn't attend, those were my main learnings:

automate everything, clicking and context switches costs time: e.g. cool idea was Mispbrowserextension for Firefox
feedback loop everything: for example, you can feed that "benign/false positive/true positive" button from your SOC back intro your CTI. Simple & effective
show the value of your tech to management: e.g. how many attacks have you prevented? How big were the costs for that incident in other companies?
random characters (and a legitimate looking link) in a CTI pdf might be an attack on your AI => check out CTI poisoning attacks

#CTI #threatintel #threatintelligence #lessonslearned

FIRST.org Apr 23

🎉 #FIRSTCTI26 is officially a wrap, and it's the people who made it. Three days of workshops, plenary sessions, and hands-on training across the CTI landscape in Munich, Germany.

Sessions were led by practitioners and researchers from Google, AWS, the European Commission CSOC, ENISA, CIRCL, CERT-In, Intel 471, BlackRock, Deloitte, NTT DATA, Expel, and dozens more.

Highlights:
✅ From Signal to Action was the dominant theme — practitioners tackled the gap between data and defensive action, building CTI pipelines under resource constraints and automating enrichment to cut through noise
✅ AI took center stage as a double-edged force — sessions explored how LLMs and RAG architectures can multiply analyst capacity, while also confronting poisoned OSINT, compromised pipelines, and adversarial manipulation of AI-assisted analysis
✅ New capabilities and partnerships were announced: Silobreaker unveiled agentic AI to speed up analyst research; CTM360 launched its AI-powered external CTEM platform; and Venation announced a partnership with UK-based POKKIT to deliver plain-English and Dutch cyber resilience guidance to smaller EMEA organizations

TLP:CLEAR sessions were live-streamed and are available now on FIRST's YouTube Channel.

A huge thank you to everyone who attended, presented, sponsored, and supported this event.

See you at the next one!

📖 Read more: https://go.first.org/zqJyk

#CyberDefense #cybersecurity #infosec

FIRST Concludes Sold-Out 2026 Cyber Threat Intelligence Conference in Munich

Global practitioners gathered to advance AI-driven CTI, detection engineering, and threat intelligence standards

FIRST — Forum of Incident Response and Security Teams

fellmoon 🏴Apr 23

One of the best slides of #FIRSTCTI26

Restricting access to intel actually does help criminal operations, because they can use their TTPs, longer on a bigger scale without needing to change.

Share wide, share fast, share often.
#CTI / #threatintel

FIRST.org Apr 23

Servus from #FIRSTCTI26! 🥨
Day 2 is live with top‑notch Cyber Threat Intelligence. Our #TLPCLEAR sessions are streamed on YouTube - no Lederhosen required 😉
👉 https://www.youtube.com/watch?v=DMAqEP2Kqgs
#CTI #InfoSec

FIRST

9 likes. "2026 FIRST CTI Conference - Day 2 Plenary Sessions - Live Stream"

YouTube

FIRST.org Apr 23

Day 3 begins with gratitude for this community and the work happening here in Munich. One more day of insights, connection, and shared purpose. 🤝 #FIRSTCTI26 #cyberthreatintelligence #threatintel 🔗https://go.first.org/1OpsO