SlideShare a Scribd company logo

Creating REAL Threat Intelligence with Evernote at SourceDublin on September 7, 2015

grecsl
grecsl

In the presentation that threat intel vendors do not want you to see, threat data from open source and home grown resources meets Evernote as the ultimate braindump repository with the outcome of producing REAL actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses an experiment of using Evernote as a informal threat intelligence management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered include the advantages of using an open and flexible platform that can be molded into an open/closed source threat data repository, an information sharing platform, and an incident management system. Although using Evernote in this way in large enterprises is probably not possible, organizations can apply the same reference implementation to build similarly effective systems using open source or commercial solutions.

Technology
1 of 56
Creating REAL Threat Intelligence … with Evernote @grecs NovaInfosec Consulting NovaInfosec.com
Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
Pic of hacked sites; news articles of breaches, mid-2000s NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
Infosec COTS NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote • Assessing Defense Postures to Identify Potential Weaknesses • Training Analysts to More Effectively Detect and Respond to Attacks • Improving Policies and Procedures to Boost Monitoring Efficiencies • Integrating Technical Solutions that Support Analysts and Processes
NovaInfosec Consulting NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
Agenda • Background • Dashboarding for Fun/Profit • The Secret Weapon • 3 Legs of Threat Intel • Evernote as an Intel Repo • Alternatives • Future Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
BACKGROUND Over Engineering Build (at least try to) Before Buy Problem Requirements Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Background Over Engineering • Tendency to Over Complicate • Keep It Simple Stupid • What Can We Do Quick & Dirty that Will Get Us 60- 70% of the Way There? • Onboarding Workflow System Example Solution Fine As Is Est. Requs. to Develop Eventual Solution
Background Build (at least try to) Before Buy • Before Buying New Commercial Solution – Try Quick & Dirty Solution In-House First • Use Tools Already Have & All Familiar With • Setup Good Set of Processes Since Lacks Safety Checks • Have Smart People Actually Use Solution for 6-12 Mos. • Continually Evolve Processes with Lessons Learned – Maybe that Will Solve Your Needs – Else Understand What REALly Need  Commercial • Invest in People & Process 1st, then Products Case In Point:Threat Intel Services Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Background Problem • Working as Analyst – Looking to Take Advantage of OS Intel – Required Searching Through Sites One-by-One • Restrictions – No Organization Provided Option – No Option to Build Own System Internally • Build My Own – Hosted Externally – Accessible Internally Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Background Requirements • Bucket to Dump All Data Into – Blog/Other Feeds – Data-Driven Feeds – Data Files – Other (anything else find – e.g., APT reports) • Easily Find Data – Searchable – Categories – Tagging for Viewing in Different Ways • Cloud-Based So Wouldn’t Have to Maintain & Accessible Everywhere – Email Folder (like in old days but too kludgy) – Log/Data Aggregation Tools Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Analyst Point of View, Not Machine
DASHBOARDING FOR FUN & PROFIT Dashboard 1.0 Dashboard 2.0 Dashboard 3.0 Take-Aways Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Dashboarding for fun & Profit Dashboard 1.0 • SOC Security Engineer Position Many Years Ago Working to Create Dashboards • Wanted to Measure Risk • Use Traditional Risk Equation – Vulnerability Data Based on Patch & Other Tools – Threat? Decided to Use Vendor Threat Levels (e.g., SANS INFOCON, Symantec – normalize and average) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Dashboarding for fun & Profit Dashboard 2.0 – Google Reader, iGoogle, Feedly
Dashboarding for fun & Profit Dashboard 3.0 • Moved from Feedly to Netvibes Since Designed Ground Up as Dashboard • Added “Cyber Intel” Tab with Sources Still Active from Feedly Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Dashboarding for fun & Profit Dashboarding Take-Aways • Nice for “Blog” Post Feeds • Tough to Follow for Data-Driven Feeds – Changing Too Fast – Feedly Pro – NetVibes VIP • Keep All Feed Data & Searchable • Expensive for One-Off Analyst Resource • Introduce Concept of One “Bucket” to Dump All Into • Doesn’t Work for Periodically Updated Data Files Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Identified Many Great Sources of Info to Collect
THE SECRET WEAPON Overview Customization Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
The Secret Weapon Overview • Method for Using Evernote as GTD-Based Task Mgmt System – Treat Evernote Like a Database – Notebook == Table – Note == Free Form Record • Organization – Nested Notebooks – Hierarchical Tagging (provide metadata structure) • What  Projects • When  Importance – e.g., 0-6 • Where  E.g., home, work, etc. • Who  E.g., people that action has to do with • Combination Above • Search – ~ Notebook, Tag, Keyword, or Combination Thereof – Saved Searches Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
The Secret Weapon Customization • Identifier Symbols for Each W* Category • Carry Through of W* Symbols into Sub-Tags • Included “.” after Symbols to Mark Headings Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
THREE LEGS OF THREAT INTEL Background Open Source Intelligence Information Sharing Case Tracking Existing Solutions Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Three Legs of Threat Intel Background • Threat Intel Market Growing – Investigating Threat Intel – Consulted Experts & Users of Threat Intel Services • Basic Take-Aways – Fascinating Area with Lots of Cool Things Mathematically Correlated Together in Some Fancy Big Data Model – Not Much Value Beyond Open Source Resources – A Lot of Data Not Relevant to Organization Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, “When your threat intel solution is feeling more like a threat intel problem…” - @JohnLaTwC
Three Legs of Threat Intel Open Source Intelligence • Boils Down to – Indicators (e.g., IPs, Domains , URLs, Hashes, Email Addresses, … ) – Reports (e.g., vendor dossiers on threat TTPs) • Historically Lots of Open Source Resources (e.g., MalwareDomainList, Zeus Tracker, …) • Don’t Forget Social Networks (e.g., certain people/resources on Twitter) • Mix in Organizational Data as Well to Enrich (e.g., honeypots) • Commercial (but let’s get the free stuff down first to define requirements) • Existing Solutions: CRITS, CIF, CriticalStack, Vendors Incorporating into Products • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Three Legs of Threat Intel Intel Sharing • Groups – ISACs (FS-ISAC, MS-ISAC, DIB-ISAC, …) – DIB – Infragard • Historically/Existing Solutions – Email Lists, Bulletin Boards – Starting to Distribute in Standardized Format (TAXII, STIX) • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Three Legs of Threat Intel Case Tracking • Pretty Simple with Many Workflow Systems Out There – Open New Case – Work It Periodically Adding Comments of What Done – Eventually Gets Closed • Existing Solutions – Open Source: RT, eTicket, Help Desk Lite, … – Commercial: Remedy, SharePoint • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Three Legs of Threat Intel Other • All-In-One – ThreatConnect (free to join) • Overall – Lots of Point Solutions But Not Flexible – Ease of Use (CEO down to analyst) – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
EVERNOTE AS AN INTEL REPO Ah Ha OSINT Intel Sharing Case Tracking Summary Other Tricks EN Search Alternatives Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo Ah Ha • Define Notebooks & Hierarchical Tags for Metadata • Perfect Open & Flexible Framework to Build Off Of • Easy to Use Over Heavy Database or Workflow Management System • Start Dumping All Feeds/Data into Evernote Bucket Dashboarding + Secret Weapon + Threat Intel = Evernote as an Intel Repo Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT • Archive of Organization Relevant Data from Open Source Resources • Benefits – Database Can Search and Pivot Around In – Annotation of Notes • Dumping – Automated via Feeds – Clip into Evernote with Browser Add-On • Recommended Tagging Structure Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT • Threat – MalwareDomainList (RSS) – Zeus Tracker (RSS) – SSL Blacklist (RSS) – Malware-Analysis Traffic (RSS) – Dynamoo (RSS) – @sshbrute, @netmenaces (Twitter) • Vulnerability – Offensive Security Exploit Database (RSS) – NIST NVD CVE (RSS) – US CERT All Products (RSS) • Situational Awareness – SANS ISC Blog (RSS) – ThreatBrief (RSS) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT - Automation • Email into Evernote – Sign Up for Service Using Evernote Email • IFTTT for RSS Feeds – Easily to Implement – Limit of Only Getting Partial Data – Write Own RSS Scraper / FiveFilter • IFTTT Interface with Twitter • IFTTT with Email Integration – Helps Some if Offer Mailing List with Full Data • StormStack - Open Source Clone+ of IFTTT • Scripts – E.g., Retrieve Files & Insert into Evernote Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT – IFTTT Automation Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT – Script Automation Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Thanks for Initial Script: Ameer M.
Evernote as an Intel Repo EN Search • How to Find Find All Data Threw into Evernote – Tags – Basic Search – Advanced Search • Specific Notebooks, Tags, Terms, Dates • “AND” Boolean Support • Example – Search for IP & Find Note – Run Secondary Search Around that Timeline – Discovery Similar Happenings • Saved Searches (e.g., Case Tracking) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo Beyond OSINT • Inputs – Intel Sharing • Shared Evernote Notebook for Partner Group • Create Note, Place in Shared Notebook to Distribute, & Use Standard Tags to Track – Other: Logger, SIEM • Analysis – Case Tracking • Evernote Notebook with a Note per Investigation • Establish Note Template with • Tags to Id Workflow (e.g., Open, Working, Closed) – Other: Indicator DB, Adversaries, Campaigns, … Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Evernote as an Intel Repo Summary - Inputs !.When ].What @.Where ^.Who OSINT DB ].OSINT DB ]NVD ]Exploit-DB ]Zeus Tracker @.OSINT DB (no tag -> new) @Useful @Useless ^.OSINT DB ^NIST ^Offensive S. ^Abuse.ch Intel Sharing ^.Intel Sharing ^DIB ^FS-ISAC @.Intel Sharing (no tag -> new) @Relevant @Irrelevant ^.Intel Sharing ^Co. A ^Co. B ^Co. C Logger ].Logger ]Web Logs … @.Logger (no tag -> new) … ^.Logger ^NovaInfosec … SIEM ].SIEM ]Site Lockout ]File Change @.SIEM (no tag -> new) @Investigating @Reviewed ^.SIEM ^NovaInfosec Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
Evernote as an Intel Repo Summary - Analysis !.When ].What @.Where ^.Who Case Tracking !.Case Tracking !High !Medium !Low ** ].Case Tracking ]CAS10000 ]CAS10001 @.Case Tracking @Inbox @Working @Closed ^.Case Tracking ^jsmith ^acren Indica. DB !.Indicator DB !HVI !MVI !LVI ** ].Indicator DB ]192.168.2.50 ]smith@tch.com @.Indicator DB @Suggested @Active @Inactive ^.Indicator DB ^jsmith ^acren Advers. !.Adversary !Important !Not Important ** ].Adversary ]ABC ]DEF @.Adversary @Proposed @Tracking @Dormant ^.Adversary ^jsmith ^acren Only Tag if Relevant Primary Tags (**) Used to Cross-Ref Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
Evernote as an Intel Repo Show & Tell Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Alternatives • Log Management Solutions • SIEMs • Others
Future • More/Improved OSINT Resources – Deconflict Sites with Multiple Feeds & Add if Needed – File Base Pulls (script / replace existing RSS) – Vendor APT Reports – News Blogs - Track Happenings Around Specific Period – Integration with CIF to Centralize/Tag Data • Improved/Formalized Tagging Structures • API Automation (e.g., auto tagging IP addresses) • 3rd Party App that Uses Evernote as Backend Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Conclusion • Lots of Point Solutions but None Bring Together Like Good ‘ol Evernote • Start with Evernote to “Figure Stuff Out" • In End Determine REAL Requirements – Solution Fine As Is – Build In-House/Buy Commercial Full Out Solution Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting

Recommended

Reduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceReduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceAlienVault
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreatConnect
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
Python + STIX = Awesome
Python + STIX = AwesomePython + STIX = Awesome
Python + STIX = Awesomestixproject
 
מצגת החברות המשתתפות בתערוכת מיליפול 2013
מצגת החברות המשתתפות בתערוכת מיליפול 2013מצגת החברות המשתתפות בתערוכת מיליפול 2013
מצגת החברות המשתתפות בתערוכת מיליפול 2013Israel Export Institute_מכון היצוא
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 

Recommended

Reduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceReduce the Attacker's ROI with Collaborative Threat Intelligence
Reduce the Attacker's ROI with Collaborative Threat IntelligenceAlienVault
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreatConnect
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
Python + STIX = Awesome
Python + STIX = AwesomePython + STIX = Awesome
Python + STIX = Awesomestixproject
 
מצגת החברות המשתתפות בתערוכת מיליפול 2013
מצגת החברות המשתתפות בתערוכת מיליפול 2013מצגת החברות המשתתפות בתערוכת מיליפול 2013
מצגת החברות המשתתפות בתערוכת מיליפול 2013Israel Export Institute_מכון היצוא
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
"Grand Challenges" of Log Management
"Grand Challenges" of Log Management"Grand Challenges" of Log Management
"Grand Challenges" of Log ManagementAnton Chuvakin
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101stixproject
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsRecorded Future
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Priyanka Aash
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 

More Related Content

Viewers also liked

"Grand Challenges" of Log Management
"Grand Challenges" of Log Management"Grand Challenges" of Log Management
"Grand Challenges" of Log ManagementAnton Chuvakin
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101stixproject
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsRecorded Future
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Priyanka Aash
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security
 

Viewers also liked (11)

"Grand Challenges" of Log Management
"Grand Challenges" of Log Management"Grand Challenges" of Log Management
"Grand Challenges" of Log Management
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPs
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies Practical Applications of Block Chain Technologies
Practical Applications of Block Chain Technologies
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
 

More from grecsl

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

More from grecsl (12)

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Creating REAL Threat Intelligence with Evernote at SourceDublin on September 7, 2015

  • 1. Creating REAL Threat Intelligence … with Evernote @grecs NovaInfosec Consulting NovaInfosec.com
  • 2. Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 3. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 4. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 5. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 6. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 7. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 8. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 9. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 10. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 11. Pic of hacked sites; news articles of breaches, mid-2000s NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 12. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 13. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 14. Infosec COTS NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 15. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote • Assessing Defense Postures to Identify Potential Weaknesses • Training Analysts to More Effectively Detect and Respond to Attacks • Improving Policies and Procedures to Boost Monitoring Efficiencies • Integrating Technical Solutions that Support Analysts and Processes
  • 16. NovaInfosec Consulting NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 17. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 18. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 19. NovaInfosec.com@grecs,Creating REAL Threat Intelligence … with Evernote
  • 20. Agenda • Background • Dashboarding for Fun/Profit • The Secret Weapon • 3 Legs of Threat Intel • Evernote as an Intel Repo • Alternatives • Future Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 21. BACKGROUND Over Engineering Build (at least try to) Before Buy Problem Requirements Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 22. Background Over Engineering • Tendency to Over Complicate • Keep It Simple Stupid • What Can We Do Quick & Dirty that Will Get Us 60- 70% of the Way There? • Onboarding Workflow System Example Solution Fine As Is Est. Requs. to Develop Eventual Solution
  • 23. Background Build (at least try to) Before Buy • Before Buying New Commercial Solution – Try Quick & Dirty Solution In-House First • Use Tools Already Have & All Familiar With • Setup Good Set of Processes Since Lacks Safety Checks • Have Smart People Actually Use Solution for 6-12 Mos. • Continually Evolve Processes with Lessons Learned – Maybe that Will Solve Your Needs – Else Understand What REALly Need  Commercial • Invest in People & Process 1st, then Products Case In Point:Threat Intel Services Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 24. Background Problem • Working as Analyst – Looking to Take Advantage of OS Intel – Required Searching Through Sites One-by-One • Restrictions – No Organization Provided Option – No Option to Build Own System Internally • Build My Own – Hosted Externally – Accessible Internally Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 25. Background Requirements • Bucket to Dump All Data Into – Blog/Other Feeds – Data-Driven Feeds – Data Files – Other (anything else find – e.g., APT reports) • Easily Find Data – Searchable – Categories – Tagging for Viewing in Different Ways • Cloud-Based So Wouldn’t Have to Maintain & Accessible Everywhere – Email Folder (like in old days but too kludgy) – Log/Data Aggregation Tools Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Analyst Point of View, Not Machine
  • 26. DASHBOARDING FOR FUN & PROFIT Dashboard 1.0 Dashboard 2.0 Dashboard 3.0 Take-Aways Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 27. Dashboarding for fun & Profit Dashboard 1.0 • SOC Security Engineer Position Many Years Ago Working to Create Dashboards • Wanted to Measure Risk • Use Traditional Risk Equation – Vulnerability Data Based on Patch & Other Tools – Threat? Decided to Use Vendor Threat Levels (e.g., SANS INFOCON, Symantec – normalize and average) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 28. Dashboarding for fun & Profit Dashboard 2.0 – Google Reader, iGoogle, Feedly
  • 29. Dashboarding for fun & Profit Dashboard 3.0 • Moved from Feedly to Netvibes Since Designed Ground Up as Dashboard • Added “Cyber Intel” Tab with Sources Still Active from Feedly Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 30. Dashboarding for fun & Profit Dashboarding Take-Aways • Nice for “Blog” Post Feeds • Tough to Follow for Data-Driven Feeds – Changing Too Fast – Feedly Pro – NetVibes VIP • Keep All Feed Data & Searchable • Expensive for One-Off Analyst Resource • Introduce Concept of One “Bucket” to Dump All Into • Doesn’t Work for Periodically Updated Data Files Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Identified Many Great Sources of Info to Collect
  • 31. THE SECRET WEAPON Overview Customization Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 32. The Secret Weapon Overview • Method for Using Evernote as GTD-Based Task Mgmt System – Treat Evernote Like a Database – Notebook == Table – Note == Free Form Record • Organization – Nested Notebooks – Hierarchical Tagging (provide metadata structure) • What  Projects • When  Importance – e.g., 0-6 • Where  E.g., home, work, etc. • Who  E.g., people that action has to do with • Combination Above • Search – ~ Notebook, Tag, Keyword, or Combination Thereof – Saved Searches Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 33. The Secret Weapon Customization • Identifier Symbols for Each W* Category • Carry Through of W* Symbols into Sub-Tags • Included “.” after Symbols to Mark Headings Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 34. THREE LEGS OF THREAT INTEL Background Open Source Intelligence Information Sharing Case Tracking Existing Solutions Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 35. Three Legs of Threat Intel Background • Threat Intel Market Growing – Investigating Threat Intel – Consulted Experts & Users of Threat Intel Services • Basic Take-Aways – Fascinating Area with Lots of Cool Things Mathematically Correlated Together in Some Fancy Big Data Model – Not Much Value Beyond Open Source Resources – A Lot of Data Not Relevant to Organization Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, “When your threat intel solution is feeling more like a threat intel problem…” - @JohnLaTwC
  • 36. Three Legs of Threat Intel Open Source Intelligence • Boils Down to – Indicators (e.g., IPs, Domains , URLs, Hashes, Email Addresses, … ) – Reports (e.g., vendor dossiers on threat TTPs) • Historically Lots of Open Source Resources (e.g., MalwareDomainList, Zeus Tracker, …) • Don’t Forget Social Networks (e.g., certain people/resources on Twitter) • Mix in Organizational Data as Well to Enrich (e.g., honeypots) • Commercial (but let’s get the free stuff down first to define requirements) • Existing Solutions: CRITS, CIF, CriticalStack, Vendors Incorporating into Products • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 37. Three Legs of Threat Intel Intel Sharing • Groups – ISACs (FS-ISAC, MS-ISAC, DIB-ISAC, …) – DIB – Infragard • Historically/Existing Solutions – Email Lists, Bulletin Boards – Starting to Distribute in Standardized Format (TAXII, STIX) • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 38. Three Legs of Threat Intel Case Tracking • Pretty Simple with Many Workflow Systems Out There – Open New Case – Work It Periodically Adding Comments of What Done – Eventually Gets Closed • Existing Solutions – Open Source: RT, eTicket, Help Desk Lite, … – Commercial: Remedy, SharePoint • Big Need – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 39. Three Legs of Threat Intel Other • All-In-One – ThreatConnect (free to join) • Overall – Lots of Point Solutions But Not Flexible – Ease of Use (CEO down to analyst) – Centralized Database to Record All this Information Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 40. EVERNOTE AS AN INTEL REPO Ah Ha OSINT Intel Sharing Case Tracking Summary Other Tricks EN Search Alternatives Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 41. Evernote as an Intel Repo Ah Ha • Define Notebooks & Hierarchical Tags for Metadata • Perfect Open & Flexible Framework to Build Off Of • Easy to Use Over Heavy Database or Workflow Management System • Start Dumping All Feeds/Data into Evernote Bucket Dashboarding + Secret Weapon + Threat Intel = Evernote as an Intel Repo Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 42. Evernote as an Intel Repo OSINT • Archive of Organization Relevant Data from Open Source Resources • Benefits – Database Can Search and Pivot Around In – Annotation of Notes • Dumping – Automated via Feeds – Clip into Evernote with Browser Add-On • Recommended Tagging Structure Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 43. Evernote as an Intel Repo OSINT • Threat – MalwareDomainList (RSS) – Zeus Tracker (RSS) – SSL Blacklist (RSS) – Malware-Analysis Traffic (RSS) – Dynamoo (RSS) – @sshbrute, @netmenaces (Twitter) • Vulnerability – Offensive Security Exploit Database (RSS) – NIST NVD CVE (RSS) – US CERT All Products (RSS) • Situational Awareness – SANS ISC Blog (RSS) – ThreatBrief (RSS) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 44. Evernote as an Intel Repo OSINT Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 45. Evernote as an Intel Repo OSINT - Automation • Email into Evernote – Sign Up for Service Using Evernote Email • IFTTT for RSS Feeds – Easily to Implement – Limit of Only Getting Partial Data – Write Own RSS Scraper / FiveFilter • IFTTT Interface with Twitter • IFTTT with Email Integration – Helps Some if Offer Mailing List with Full Data • StormStack - Open Source Clone+ of IFTTT • Scripts – E.g., Retrieve Files & Insert into Evernote Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 46. Evernote as an Intel Repo OSINT – IFTTT Automation Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 47. Evernote as an Intel Repo OSINT – Script Automation Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs, Thanks for Initial Script: Ameer M.
  • 48. Evernote as an Intel Repo EN Search • How to Find Find All Data Threw into Evernote – Tags – Basic Search – Advanced Search • Specific Notebooks, Tags, Terms, Dates • “AND” Boolean Support • Example – Search for IP & Find Note – Run Secondary Search Around that Timeline – Discovery Similar Happenings • Saved Searches (e.g., Case Tracking) Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 49. Evernote as an Intel Repo Beyond OSINT • Inputs – Intel Sharing • Shared Evernote Notebook for Partner Group • Create Note, Place in Shared Notebook to Distribute, & Use Standard Tags to Track – Other: Logger, SIEM • Analysis – Case Tracking • Evernote Notebook with a Note per Investigation • Establish Note Template with • Tags to Id Workflow (e.g., Open, Working, Closed) – Other: Indicator DB, Adversaries, Campaigns, … Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 50. Evernote as an Intel Repo Summary - Inputs !.When ].What @.Where ^.Who OSINT DB ].OSINT DB ]NVD ]Exploit-DB ]Zeus Tracker @.OSINT DB (no tag -> new) @Useful @Useless ^.OSINT DB ^NIST ^Offensive S. ^Abuse.ch Intel Sharing ^.Intel Sharing ^DIB ^FS-ISAC @.Intel Sharing (no tag -> new) @Relevant @Irrelevant ^.Intel Sharing ^Co. A ^Co. B ^Co. C Logger ].Logger ]Web Logs … @.Logger (no tag -> new) … ^.Logger ^NovaInfosec … SIEM ].SIEM ]Site Lockout ]File Change @.SIEM (no tag -> new) @Investigating @Reviewed ^.SIEM ^NovaInfosec Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
  • 51. Evernote as an Intel Repo Summary - Analysis !.When ].What @.Where ^.Who Case Tracking !.Case Tracking !High !Medium !Low ** ].Case Tracking ]CAS10000 ]CAS10001 @.Case Tracking @Inbox @Working @Closed ^.Case Tracking ^jsmith ^acren Indica. DB !.Indicator DB !HVI !MVI !LVI ** ].Indicator DB ]192.168.2.50 ]smith@tch.com @.Indicator DB @Suggested @Active @Inactive ^.Indicator DB ^jsmith ^acren Advers. !.Adversary !Important !Not Important ** ].Adversary ]ABC ]DEF @.Adversary @Proposed @Tracking @Dormant ^.Adversary ^jsmith ^acren Only Tag if Relevant Primary Tags (**) Used to Cross-Ref Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
  • 52. Evernote as an Intel Repo Show & Tell Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 53. Alternatives • Log Management Solutions • SIEMs • Others
  • 54. Future • More/Improved OSINT Resources – Deconflict Sites with Multiple Feeds & Add if Needed – File Base Pulls (script / replace existing RSS) – Vendor APT Reports – News Blogs - Track Happenings Around Specific Period – Integration with CIF to Centralize/Tag Data • Improved/Formalized Tagging Structures • API Automation (e.g., auto tagging IP addresses) • 3rd Party App that Uses Evernote as Backend Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 55. Conclusion • Lots of Point Solutions but None Bring Together Like Good ‘ol Evernote • Start with Evernote to “Figure Stuff Out" • In End Determine REAL Requirements – Solution Fine As Is – Build In-House/Buy Commercial Full Out Solution Creating REAL Threat Intelligence … with Evernote NovaInfosec.com@grecs,
  • 56. Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting