{"id":231622,"date":"2026-03-26T12:48:45","date_gmt":"2026-03-26T12:48:45","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=231622"},"modified":"2026-04-03T10:30:43","modified_gmt":"2026-04-03T10:30:43","slug":"rewinding-the-breach-a-csirt-cti-investigation","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/","title":{"rendered":"Rewinding the Breach: a CSIRT-CTI-Investigation"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"231622\" class=\"elementor elementor-231622\" data-elementor-settings=\"{&quot;element_pack_global_tooltip_width&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;element_pack_global_tooltip_width_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;element_pack_global_tooltip_width_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;element_pack_global_tooltip_padding&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true},&quot;element_pack_global_tooltip_padding_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true},&quot;element_pack_global_tooltip_padding_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true},&quot;element_pack_global_tooltip_border_radius&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true},&quot;element_pack_global_tooltip_border_radius_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true},&quot;element_pack_global_tooltip_border_radius_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;top&quot;:&quot;&quot;,&quot;right&quot;:&quot;&quot;,&quot;bottom&quot;:&quot;&quot;,&quot;left&quot;:&quot;&quot;,&quot;isLinked&quot;:true}}\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6763938e e-flex e-con-boxed e-con e-parent\" data-id=\"6763938e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4433eb19 elementor-widget elementor-widget-text-editor\" data-id=\"4433eb19\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>Key findings<\/h4><ul><li>The 12-month intrusion involved at least three distinct activity clusters operating sequentially on the same access:<ul><li>An Initial Access Broker (IAB)<\/li><li>An intermediate operator (TA-2)<\/li><li>A final actor preparing ransomware deployment<\/li><\/ul><\/li><li>Initial access was obtained via credentials stolen from a personal workstation infected with pirated software carrying infostealer malware and sold via Telegram marketplaces.<\/li><li>TA-2 reused the access to conduct recognition, privilege escalation, and credential harvesting using common open-source tools.<\/li><li>Despite achieving sufficient access, TA-2 paused activity for over one month, suggesting access staging or resale rather than immediate ransomware deployment.<\/li><li>The final actor reused the same infrastructure, employed modified TTPs, and nearly deployed ransomware, including MFA bypass via a compromised VPN account.<\/li><li>Infrastructure analysis revealed extensive use of anonymization infrastructures:<ul><li>Strong Indicators of Criminal-Focused VPN<br \/>First VPN Service, which exhibits multiple hallmarks inconsistent with legitimate VPN providers, that fuels major ransomware operations.<\/li><li>Bulletproof Hosters (BPH) infrastructures linked, on one hand, to Alviva Holding Limited and Flyservers SA, and to the other hand to Cheapy Host. These infrastructures are associated with activity attributed to the IAB ShadowSyndicate that we already analyzed as well as the new front of the rogue provider CrazyRDP.<\/li><\/ul><\/li><\/ul><h4>Intrinsec&#039;s CTI services<\/h4><p>Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.<\/p><p>For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data &amp; information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering &amp; pivots.<\/p><p>Intrinsec also offers various services around Cyber Threat Intelligence:<\/p><ul><li>Risk anticipation: which can be leveraged to continuously adapt the detection &amp; response capabilities of our clients&#039; existing tools (EDR, XDR, SIEM, \u2026) through:<ul><li><ul><li><strong>an operational feed of IOCs based on our exclusive activities.<\/strong><\/li><li><strong>threat intel notes &amp; reports, TIP-compliant.<\/strong><\/li><\/ul><\/li><\/ul><\/li><li>Digital risk monitoring:<ul><li><ul><li><strong>data leak detection &amp; remediation<\/strong><\/li><li><strong>external asset security monitoring (EASM)<\/strong><\/li><li><strong>brand protection<\/strong><\/li><\/ul><\/li><\/ul><\/li><\/ul><p>For more information, go to <a href=\"http:\/\/www.intrinsec.com\/en\/cyber-threat-intelligence\/\">intrinsec.com\/en\/cyber-threat-intelligence\/<\/a>.<\/p><p>Follow us on <a href=\"https:\/\/www.linkedin.com\/company\/intrinsec\/\">LinkedIn<\/a> and <a href=\"https:\/\/twitter.com\/Intrinsec\">X<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-274d41bd elementor-widget elementor-widget-button\" data-id=\"274d41bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-20260324-Rewinding-the-Breach_CSIRT-CTI-Investigation_EN.pdf\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Download the full report content<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Key findings The 12-month intrusion involved at least three distinct activity clusters operating sequentially on [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":231627,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9,11],"tags":[],"class_list":["post-231622","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cert","category-cyber-threat-intelligence","category-threat-intelligence-report"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.9 (Yoast SEO v27.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Rewinding the Breach: a CSIRT-CTI-Investigation - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rewinding the Breach: a CSIRT-CTI-Investigation\" \/>\n<meta property=\"og:description\" content=\"Key findings The 12-month intrusion involved at least three distinct activity clusters operating sequentially on [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T12:48:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-03T10:30:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1120\" \/>\n\t<meta property=\"og:image:height\" content=\"1123\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/\"},\"author\":{\"name\":\"Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"headline\":\"Rewinding the Breach: a CSIRT-CTI-Investigation\",\"datePublished\":\"2026-03-26T12:48:45+00:00\",\"dateModified\":\"2026-04-03T10:30:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/\"},\"wordCount\":415,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png\",\"articleSection\":[\"CERT\",\"Cyber Threat Intelligence\",\"Threat Intelligence Report\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/\",\"name\":\"Rewinding the Breach: a CSIRT-CTI-Investigation - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png\",\"datePublished\":\"2026-03-26T12:48:45+00:00\",\"dateModified\":\"2026-04-03T10:30:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png\",\"width\":1120,\"height\":1123},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/rewinding-the-breach-a-csirt-cti-investigation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Rewinding the Breach: a CSIRT-CTI-Investigation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\",\"name\":\"Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"caption\":\"Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/ufhtbqccsz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Rewinding the Breach: a CSIRT-CTI-Investigation - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/","og_locale":"en_US","og_type":"article","og_title":"Rewinding the Breach: a CSIRT-CTI-Investigation","og_description":"Key findings The 12-month intrusion involved at least three distinct activity clusters operating sequentially on [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/","og_site_name":"INTRINSEC","article_published_time":"2026-03-26T12:48:45+00:00","article_modified_time":"2026-04-03T10:30:43+00:00","og_image":[{"width":1120,"height":1123,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png","type":"image\/png"}],"author":"Intrinsec","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Intrinsec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/"},"author":{"name":"Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"headline":"Rewinding the Breach: a CSIRT-CTI-Investigation","datePublished":"2026-03-26T12:48:45+00:00","dateModified":"2026-04-03T10:30:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/"},"wordCount":415,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"image":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png","articleSection":["CERT","Cyber Threat Intelligence","Threat Intelligence Report"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/","url":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/","name":"Rewinding the Breach: a CSIRT-CTI-Investigation - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png","datePublished":"2026-03-26T12:48:45+00:00","dateModified":"2026-04-03T10:30:43+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/03\/TLP-CLEAR-Rewinding-the-Breach-a-CSIRT-CTI-Investigation.png","width":1120,"height":1123},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/en\/rewinding-the-breach-a-csirt-cti-investigation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Rewinding the Breach: a CSIRT-CTI-Investigation"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799","name":"Intrinsic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","caption":"Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/ufhtbqccsz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=231622"}],"version-history":[{"count":7,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231622\/revisions"}],"predecessor-version":[{"id":231652,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231622\/revisions\/231652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media\/231627"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=231622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=231622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=231622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}