In current scenario there are many myths exist about the Threat Intelligence in cyber security. In this session we will cover the lesser known and practical implementation of threat intelligence along with thinking beyond the "IOC Way" to make the threat intelligence more effective.

1. LESSER KNOWN THREAT INTELLIGENCE
IMPLEMENTATION
Avkash Kathiriya
Information Security Learner

2. #WhoamI
me@:~$ Avkash Kathiriya
me@:~$ Information Security Learner
me@:~$ Experience in SOC, Threat Hunting, Incident Response, ATM Security,
Threat Intelligence & research
me@:~$ Twitter : @avkashk
me@:~$ Blog: www.avkashk.wordpress.com or LinkedIn Pulse (Avkash
Kathiriya)
me@:~$ Email : avkashk@null.co.in

3. AGENDA
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 3

4. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 4
THREAT INTELLIGENCE??

5. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 5

6. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 6
Lets talk the
science way

7. Threat Intelligence Types
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 7
https://www.cpni.gov.uk/advice/cyber/Threat-Intelligence/

8. “Strategic” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 8
Threat research
reports
Data breach
reports
Regulatory
announcements
Internal Business
strategies
Third party
outsourcing

9. “Tactical” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 9
Exploit alert
monitoring
Exploit researcher
blogs
Vulnerability
dashboards
Exploitability
mapping

10. “Technical” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 10
Virus Total
Abusetracker
APT IOC
OSINT
Maltego
Etc. etc.. 

11. “Operational” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 11
CERT Advisory
Dark web
monitoring
Situational
Awareness
Social Media
Monitoring

12. Threat Intelligence Market
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 12

13. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 13

14. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 14
Lets talk the
“Sun Tzu” way

15. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 15

16. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 16
Before we
move lets take
a 1000 feet
view

17. Open Threat Intelligence steps
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 17
• Know “Your organisation” first
• Create Threat intel framework which suits you
• Open-source Feeds
• Open-source Platforms
• Open-source reports
• Community Tools
• Security communities
and Friends

18. DNS Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 18

19. DNS Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 19

20. DNS Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 20
• Catch hold the DNS logs first
• Find out how the attackers are targeting your
network
• DNS as your best buddy while doing “Threat
Hunting”

21. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 21

22. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 22

23. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 23

24. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 24
DNS
TWIST

25. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 25

26. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 26

27. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 27

28. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 28
• Intelligent way of monitoring phishing/spear-
phishing attacks
• Rich source of domain intelligence for your SOC
• Risk scoring based on below parameters
• Registered domain
• MX records
• Newly registered domain

29. Google Alerts
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 29

30. Google Alerts
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 30

31. Google Alerts
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 31

32. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 32
Google Alerts delivered to your SOC 24*7

33. Google Alerts In XML feeds
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 33

34. Google Alerts
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 34
• Intelligence gathering tool
• Vendor security intelligence gathering
• Your infrastructure vulnerability notification
• Integration with SOC for 24*7 monitoring

35. People Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 35

36. Why People Intelligence is IMP??
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 36

37. “People” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 37
Security
Awareness Data

38. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 38
If you see “WORD” calling
“CMD”

39. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 39
If you see “WORD” calling
“CMD” from the user who is
Known Phish Bait

40. People Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 40
• Phishing simulation data is richest source of
human intelligence of your organization
• Identify your “broken link” in the “weakest link”
• Prioritize monitoring of risky users

41. Deception for Threat Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 41

42. Deception for Threat Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 42
Network
Decoy
Document
Decoy
Credential
Decoy
Recon
Outpost
Social
Decoy

43. Credential Theft

44. Enticing Document

45. Deception as a threat intel
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 45
• Know your attacker already inside your network
• Honey tokens for callbacks
• Setup your threat intel web bots
• Mimikatz hunting

46. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 46

47. “Pastebin” Monitoring
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 47

48. “Pastebin” Monitoring feeds into SOC
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 48

49. “Community” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 49
Security
Community
Friends
Conferences
Summits
Working GroupsYour Company

50. Takeaways
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 50
‣ Before you invest in any commercial provider, you must maximize
your own intrusions
‣ No threat intel is more relevant than what is occurring within your
own environment
‣ You don’t have the best technology and most expensive intel sources
to be effective
‣ You probably will never have a fusion center but you can make
threat intelligence work
‣ DIY / Open Source tools is perfectly acceptable
‣ Actionable intelligence must be timely
‣ Don’t spend so much time performing analysis that timeliness
suffers

51. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 51

52. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 52
Thanks and References
• Sun Tzu
• Google
• SANS
• Rick Holland
• Dave Herrald and Ryan Kovar
• Meme Generators

53. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 53