RECENT POSTS
- The Art of Pivoting - How You Can Discover More from Adversaries with Existing Information
- AIL Project v6.1 released with new features including unsafe filter for Tor crawling, many bugs fixed and Telegram attachment analysis (2025-02-06)
- AIL Project v6.0.1 - Improved usability in social network monitoring and many bugs fixed
- AIL Project v6.0: Improved Dark Web Analysis with a New Dashboard
- AIL Framework v5.9 Released – New Features such as dom-hash correlation, improvements and many bug fixes
- First release of onion-lookup version 0.1 - gathering metadata from Tor onion addresses
- AIL Framework v5.8 Released – New Features such as QR code extraction, improvements and fixes
- AIL Project version 5.7 released with many improvements with 2FA support, multi-organisation support, improved chat monitoring and more.
- AIL Project version 5.6 released with many improvements in the OCR and correlation functions and many updates.
- AIL Framework 5.5 Released: New OCR Module for Images, Report Generator for Tracker Module, and Numerous Improvements.
- All posts ...
The Art of Pivoting - How You Can Discover More from Adversaries with Existing Information
Mar 23, 2025 • Alexandre Dulaunoy
Pivoting in Threat Intelligence: AIL and MISP Insights
At the FIRST CTI Conference 2025 in Berlin, we presented our recent work on practical pivoting strategies in threat intelligence, based on threat intelligence experiments with the AIL and MISP platforms.
The talk explores how less conventional indicators—such as cookie names, QR codes, HTTP headers (HHHash), DOM structure, and even reused Google Analytics IDs—can uncover surprising links between threat actor infrastructure and behavior.
We also shared observations from real-world crawling and analysis using AIL, including:
- How “weak” indicators can become valuable through composite correlation
- Unexpected reuse of metadata in Tor services and social networks
- Ways how AIL can support more creative pivoting workflows
Thanks to everyone who attended and shared feedback!
Funding
This work is co-funded by CIRCL and co-funded by the ECCC under the FETTA (Federated European Team for Threat Analysis) project aims to address this issue by creating a federated team that spans across borders, providing Cyber Threat Intelligence (CTI) products and tooling.