Monday, November 11, 2013

MIRCon 2013 - It's a wrap



MIRcon 2013 - What Really Happened

My first MIRcon is in the books and I have to say it was a great experience from start to finish. The agenda, food, staff, accommodations, and attendees were all top notch. Some people may complain based on the fact that this year’s conference was the first year they started charging, however I would find it very hard to believe it was for any profit, but more to slightly offset the costs which I think far exceeded any registration fees. I also really love the fact that the conference is relatively small. I believe this is want people want compared to the horribly overcrowded RSA & Blackhat experience. I also heard they were considering adding a more technical 3rd track and I think that would be a great idea. Also, how about hosting a capture the attacker event? How cool would that be.

Richard Bejtlich, Chris Bream, Kevin Mandia, and Grady Summers all brought their A game and delivered a home run in terms of their speaking and moderating. Everything ran smoothly, great questions were asked, and I never noticed any audio/video problems that plague many other conferences. My only complaint was that a certain privacy fanatic, who anyone who was following twitter knows who he is, kept submitting anti-NSA or anti-gov questions over and over, drowning out potential questions that may have been more relevant and insightful. My response to him is, please take that to a privacy or EFF conference. While I value constitutional rights as much as anyone, this was an incident response focused event.

My first night there I was able to attend an excellent dinner for the North/Central Mandiant customer base at Old Ebbitz Grill. I highly recommend the crab cakes, but that’s pretty much my staple meal while in the DC area. I got to have some great discussions with a lot of Houston based energy people and even some large financials. They are doing a lot of great proactive things and it’s always good to talk with like minded people passionate about security. I also learned a new term(Sidecar) for people who run their own MIR in addition to Managed Network Defense.

Following a kick off from Richard Bejtlich, Kevin Mandia detailed some very timely ideas. We must learn to cope with our IT posture eroding over time. How do we address that in an ongoing, programmatic way? IT is proliferating exponentially faster than our security frameworks ability to protect it. He also implored the audience to adopt a community driven approach. Don’t hunt alone; hunt in packs and good things will follow.

Grady Summers then lead a panel talking about some new trends emerging in the last year. They are seeing an increased use of encrypted C2 and C2 taking advantage of public services. For example proxying your encrypted C2 configuration file through a google or bing translate service. This can and should be detected by analyzing the URL contained in the URI of the GET request. Use of the gmail calendar and msn chat were other C2 methods discussed. They did state they are seeing a reduction in the use of malware, however I’m not sure I agree with that. Perhaps it’s a sign that the attackers are spending less time on the initial foothold and more time moving about your infrastructure with legit credentials. There was time spent on discussing how attackers are more easily able to blend in with the noise by backdooring SSH or hijacking outlook via the MAPI. And of course, the old reliable vector of partner VPN access. They did highlight the fact that Mandiant customers over the last year have been able to reduce their time to detect a compromise from ~416 days to ~243 days. While not anywhere remotely good, at least it’s a large improvement. Someone also recommended Raytheon’s SureView product.

Eric Hutchins gave a nice overview and demo of the iPython Analyst Notebook. The primary driver for this is to effectively share tools and analysis between team members. The goal is to improve your depth of documentation. He highlighted the key attributes as Results, Methodology, and Means. This would be useful in any team, but especially in large, geographically disperse teams with people of differing skill levels. iPython is not multi user yet, however it is on the roadmap. I believe the killer feature of the app, was the ease with which you can share your scripts and have others use, improve, and validate your work. He is has released his scripts on github and nbviewer.ipython.org has some other examples.

Next I attended a talk on Rapid Response by Shanna Battaglia and Mike Scutt, both of Mandiant. The key questions they are trying to answer upfront in order of speed are:

  •          How is the adversary communicating?
  •          How did they get in?
  •          What are they going to do next?

Some of their favorite techniques include getting command line strings from CSRSS and CONHOST, reviewing prefetch, and looking for explicit logons.

Zane Lackey of Etsy (codeascraft.com) had some great ideas in his talk on Attack Driven Defense. Key recommended operations goals included:

  •          raising the cost to the attacker
  •          increasing your odds of detection
  •          defending based on real attack data

He said we can save ourselves a lot of pain by analyzing which Certificate Authorities your company are actually using regularly and removing the ones used rarely. This could possible prevent a DigiNotar type compromise. I loved his quote on using laziness as a weapon to make it harder for people to use insecure technologies, but easy to use secure software. He also highly recommended finding ways to incentivize users to report suspicious activity.

Jennifer Kolde gave a great talk on the Art of Threat Intel. Threat Intel is not 10yr old attack data, not hypothetical, and must be something existing or emerging. Some of the key benefits of Threat Intel include faster identification of the enemy and being able to successfully anticipate their next moves. Indicators vary in uniqueness, proximity, and fidelity. Proximity was a very important concept. The farther away your data point is away from the actual attack, the less relevance or confidence it might have. Primary indicators include raw data directly involved in the attack, such as the spearphish email or malware binary. We don’t need to “Attribute All The Things”. That’s just silly and futile. Mistakes are a part of the process and always will happen. It’s important to review your previous attributions and reanalyze them for changes. I was very excited that my question was selected and asked to Jennifer. It was “What are key requirements or capabilities for a small, non-DIB company to start an effective threat intelligence program?” Her answer was:

  1.  At least 1 dedicated person to review and analyze attack data
  2.  Have a primary focus on your attack data, not other publicized attacks
  3. Identify and track relevant indicators
  4. Correlate those indicators to see where patterns of behavior overlap

I really liked this presentation; however I can’t wait until people (anyone), starts talking trade craft. The non-security and non-dib companies need your help.

Robert Mueller gave an interesting talk. I had no idea he was never an agent and came up through the legal system. He said it’s important to remember that behind every computer there is a person. And you cannot fight cyber problems with just cyber capabilities. You need to integrate other areas of expertise and tools. He had some very great advice for dealing with bureaucracies. Ignore peoples embellished job titles and focus your energy on the people respected in the organization who get things done. He often jumped to the bottom line and said “What is the issue?” point blank to the people coming into his office needing a decision. Also how and when you delegate is often your most important decision. Sometimes micromanaging is absolutely required until you build trust. His primary example was the failed FBI VCS system, which was ultimately cancelled and delivered by a new contractor. I did get the impression that cyber issues were a very distant third to the other top two priorities of Counter Terrorism and Counter Intelligence. He did close by stating that complete destruction of data was his biggest fear when it comes to cyber-attacks, which surprised me because I expected something with kinetic damage to come from him.

Of course the Mandiant Code of Arms reception that followed was amazing. There was great food and even better beer. The beer snobs were happy. I also got to catch up with some old buddies and meet new friends. A nice after party followed over at the top of the W, where Mandia made a surprise appearance.

The next morning, General Hayden gave an impressive keynote. Everything he said was dead on and insightful. He conjectured that the Cyber Revolution is the most disruptive event since the Europeans discovered the western hemisphere. Some people believe that our entire brain cognitive functions and the way we interact with people is in a state of flux. Spending 8hrs a day with a computer literally changes the pathways in your brain according to some scientists. He gave a great summary of all the cybercrime activity in the post-soviet space. Confirming what we all know, that the Russians allow them to operate as long as they attack outwards and do their bidding when asked. He also pondered what will happen when the hactivists start to increase their skills and expertise? That isn’t going to be good for anyone. It will likely get worse before it gets better. The US government is chronically “late to need”. In its current form, timely help is unlikely. He recommended reading published works from Stewart Baker, his former General Counsel at the NSA. General Hayden said we have not made it clear what we want or will allow the federal government to do to defend US cyberspace. For instance, GCHQ in the UK has significantly more authority to defend cyber interests than the US. We have advanced capabilities that are sitting on the sidelines until authorization and legislation clears a path forward. In a post Snowden era, nothing productive will occur for the next few congressional sessions. This includes improving government and private information sharing. He did say that awareness to cyber threats has clearly risen however. 5 years ago they had to call CIOs. Today CEOs are calling them for help. The new standard is assumption of breach and survival while penetrated. Good threat intel, can stop you from having to defend against everything, because you have more details to focus on the specific threats aligned against you. I left this talk thinking not only is this guy extremely smart, but grateful that he was in a position to protect us.

Next I attended a very different talk by Lhadon Tethong of the Tibet Action Institute. The state of affairs in Tibet is horrible, where Chinese oppression and violence goes largely unreported. In fact, no media is allowed to enter Tibet. This is notable because even North Korea allows journalist to visit. Tibet has been occupied for over 60 years and photos of the Dali Lama are illegal. Because they had little technical expertise and even less funding, they endorsed a very aggressive and broad-based user awareness campaign. The sample video clip she played for audience was funny and memorable. I can see it working and would love to play that for my users. Some notable things that came out of the talk, were that at one point, the Chinese had tampered with their smartphones. During the lead up to the Olympics all their phones got stuck in a loop calling each other. Or sometimes playing horrible torture sounds. The CitizenLab group they work with believe the intrusion set they are dealing with are trainees looking to gain experience before moving on to more advance operations and more well defended targets. Also mentioned was that both WeChat and TomSkype have Chinese backdoors. They have also done analysis to map out which keywords in conversations trigger further surveillance. Knowing this can add some protection. When asked by the audience on how we could help I was surprised by the answer. I felt like there was some fear in the answer and not being able to trust and vet anyone that might want to help them. Overall this was a great story to hear and really drives home the point that in this particular cyber conflict, there is a definite life or death risk.

My last talk that I attended was by Liam Randall covering uses for Bro in the ICS/SCADA space. He stated that there is a lot of FUD in the industry, and yet few are talking about details of actual attacks. At the end of the day, most of these devices are simply computers running embedded linux. Checkout CVE-2013-2802. BuildRoot can be used to create and embedded linux appliance quite easily. The Carna Botnet aka The Internet Census 2012 was a publicized attack on video cameras. His new code snippets will be published on github.

The next day I had the pleasure of attending the Customer Advisory Board meeting. This was a tremendous opportunity for me to help influence the direction of product development and also hear what my peers think. A lot of people are creating customizations and integrations to extend the capability of MIR and I only see good things to come with MSO and future Mandiant products.

In conclusion, I would highly recommend this conference to others. From c-levels to front line responders, it provides a lot of value and direction. I hope the conference continues to remain small and I look forward to attending in the future.


Thursday, March 28, 2013

Threat Intelligence Learning Plan

So over the last few years, there seems to be a trend of non-DIB companies starting to build internal threat intelligence teams and a big spike in security companies offering it as a subscription service. Ten years ago a paid service got you vulnerability alerts, some open source geopolitical information, and dated commodity botnet information. This space has matured quite a bit, even though some providers are simply repackaging free indicator feeds and CVEs as threat intelligence. I think the value proposition is there by using intelligence to reduce the dwell time of an adversary and potentially on good day thwarting the attacks from the start. I think the formation of strong, sector specific intelligence sharing groups will be key to being better defenders. Having had access in the past to great intelligence via clearances, I know what a huge advantage it is. Hence my strong interest in the subject. At the same time, I have little traditional intelligence analysis experience. Most of what I do is usually indicator centric. Harvest, hunt, rinse and repeat. What I am listing below are some things I would be interested in learning in the format of a pseudo-conference.

Collect
CIF(Collective Intelligence Framework) Workshop - Building and Integrating into Splunk - Kyle Maxwell
MITRE Analyst for a Day - Deploying & Leveraging STIX, CRITS, ChopShop, CybOX, MAEC, CAPEC, TAXII - Reid Gilman
Diggity Workshop - Monitoring the Interwebs for Company Leaks - Stach & Liu
Mining Chinese Media for Intel Gold - Aaron Wade
Building and Safely Maintaining a CyberPersona - iDefense - Yes I used the term Cyber
Intel Provider 360 - Each intel subscription provider has 6 mins to make the case as to why they are the best
Business DevOps - Case Study on getting business buy-in on sharing M&A, divestitures, JV, etc information with IT Security - Has anyone ever done this?
All UR C2 Belong 2ME - Effective Decoding & Monitoring of CN APT Command & Control - Joe Stewart
Automating Collection of APT malware from Public Sandboxes - Wesley McGrew

Analyze
Prickly Panda - How we build behavior-based attribution - Adam Meyers
Night Dragon Redux - Current TTPs of groups targeting the Energy Sector - Dmitri Alperovich
Intel Fusion Lockheed Style - Finding and tracking Campaigns - Mike Cloppert
Conducting Effective Intelligence Analysis - Richards Heuer
The Advanced Non-Chinese Threat - Survey of RU, IR, IL, KP Activity - Patton Adams
Don't be a victim of Badtribution - Billy Leonard
Burning Sykipot - Jaime Blasco
APT1 Where are they now? - Doug Wilson
How a journalist does research and attribution - Brian Krebs

Disseminate
The Making of "The Report" - Mandiant
CEO Round table - What I want in an intelligence team & report - Moderator - Richard Bejtlich

Counter Intelligence
Deceptions Operations - Fooling the Adversary - PaulDotCom
Honeypots that Sting - Alexey Sintsov
Maintaining OPSEC during an incident - Bamm Visscher

Dox2Pwn - Winner of this contest has made the best new attribution as voted by peers of an individual CN PLA or PLA-sponsored computer network operator

Friday, March 22, 2013

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.

     Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of CTI is people, not computers. The problem is actually too complex for technology to solve and requires human analysis. Computers are only tools. The goal of the summit is to educate people on the basic principles of CTI and what the components are. Based on that, I believe they achieved their objectives.

     Greg Rattray led off with his keynote: "Evolution of Cyber Threats and Cyber Threat Intelligence". He wrote Strategic Warfare in Cyberspace 12 years ago and its still relevant today. He referenced a 1991 study that concluded it is impossible to defend a system from an advanced and motivated adversary. Even back then, they knew problems would arise. He reiterated that its not a technology problem, but an adversary problem. Throughout history, espionage has always been a constant. Pre-Internet everything was Public Switched Telephone Network(PSTN) and Signals Intelligence(SIGINT) and Counter SIGINT was the dominant battlefield. The NSA Orange book help lay the foundation for secure computing. In the 1990s, there was more speculation on the national security impact of Computer Network Operations(CNO) and Information Warfare(IW). The use of IW in the 1st Gulf War set the standard other countries are trying to emulate. At time it was predicted that in 10-12 years nation state cyber attacks would emerge. That turned out to be fairly accurate. Journalists have also done a fantastic job of doing attribution of the attacks versus the victims whom typically focus on cleanup. Solar Sunrise was a notable hacking event in 1998 involving an US-based Israeli lead hacking group of teenagers infiltrating many government agencies and EDUs. Moonlight Maze was another news worthy incident never confirmed, but believed to be Russian in origin. With the EP3 collision there was also new focus on patriotic non-government hacking. JTF-CND was one the first network defense groups that started to do predictive analysis. A dark period in cyber occurred after 9-11, when there was a major shift in focus to counter terrorism and supporting Centcom. Cyber took a backseat for a long time. A new area of concern was raised when a Chinese company(China Netcom) tried to buy Global Crossing, which threatened the telecommunications infrastructure and supply chain. Many of the threat assessments of the time were skewed because they focused only on the top tier cyber personnel and not the overall programs. This led to the Intelligence Community (IC) not believing China(CN) was as advanced as they actually were. Eventually we had the rise of APT, and improved attribution capability, and new focus on ICS/SCADA. Today we are in a era of rising fear. To be clear espionage is not an attack or cyber war. However, threats like stuxnet, shamoon, and flame have cause major disruptions. The cyber neighborhood is getting rough, especially for banking and critical infrastructure. DDoS attacks while previously written off, are becoming more agile from the attackers side and are wasting away CIRT resources. He stressed that we need to be careful how we categorize risk and be methodical. Information sharing is improving and we are on the right path. He is a strong advocate for commercial services and doesn't necessarily believe government is the solution. Advises you to attack the various stages of the kill chain to disrupt the adversary, even if you can't do all of them. What's missing today is that cyber teams don't talk to the business operations teams about operational risk. We need full spectrum geeks who are analytical, but still know the business environment and strategic impact. He suggests that we avoid the militarization of cyber space as this will just escalate our problems. He recommended a book called Eating Soup with a Knife. He believes that signal(RF) jamming, while mostly applied to aircraft and boats today, will be applied in cyber conflicts. He also advises leveraging a global outlook, and not clouding your judgement with US-centric viewpoints. In conclusion, he said that to stay competitive we must continue to learn and collaborate  In follow up Q&A, it was stated that the media is perpetuating misconceptions by calling espionage cyberwar or cyberattack. The topic of government purchase of exploits came up. Greg believes in the law of supply and demand, and that if the demand goes down, so will the supply.

     Rick Holland presented "If it Bleeds, We Can Kill It: Leveraging CTI to take the fight to the adversary". He used a Predator theme, which was awesome. He led off by stating that tools and big data are not your savior  He defined CTI as information about external threat actors and active external threats. He referenced the Order of Battle and learning what an adversary looks like. When looking at Intel providers ask them what makes their service unique? Do they have the same indicators that everyone has. In the Intelligence Cycle, its critical to achieve dissemination and get the information to the stakeholders. Otherwise all that work is for not. Always leverage Alternate Analysis: question your judgement & assumptions and apply a high level of rigor to your analysis. Vendors typically don't do this. He made a recommendation for Clancy book - Threat Vector. He also referenced Active Defense Harbinger Edition (ADHD), an active defense toolkit promoted by PaulDotCom. Always focus first on what assets need to be protected. Enable IR teams autonomy to make critical decisions. It takes a long time for an in house intel team to mature, so you must get and maintain your executive buy in. He made a great point that as you thwart the adversary, the adversary adapts. Whereas Dutch(Schwarzenegger) in Predator used mud to hide from the Predator, the next generation predator could detect that and the game changed. Intel sources can be internal, government (DHS, FBI, etc), industry (partners, ISACs, vertical orgs), and providers (iSight, LookingGlass, iDefense, RSA, Seculert). He mentioned that OpenIOC is being picked up by FireEye and PaloAlto. Also a mention of Mitre Cybox & STIX. In conclusion, CTI is a marathon, not a sprint. I couldn't agree more. We need to end the shiny object syndrome in general.

     There was a panel on Best Practices in CTI including Rich Barger, Shane Huntley, Chris Sperry, Aaron Wade, and Mike Cloppert. The opening remark was Intel needs to have a customer. You need to know who you support and why? Follow the basic model: Collect -> Analyze -> Disseminate. Present data that can be used to make decisions, not screenshots of IDApro(analyst pr0n). Organizations are their own best source of intel. You need to extract all intel from your own attacks, create threat profiles, and intel priorities. However know your limits. How usable is the intel? Consider the volume, because you have to be able to process and store it. The pivot analysis approach: move across data sets and leverage business knowledge. Capture how adversary behaves in each stage of the campaign. Threat researchers need to understand which attacks are likely based on real intel-driven data, not some esoteric theoretical  attack. Aurora forced Google to make a major change from windows, and other platforms. Now that has come full circle and Mac threats have increased. Success is measured in blocks and thwarted attacks. You have to limit CTI efforts to crown jewels, you can't cover everything. You always want first order data, in order to verify analysis. My favorite quote was by Aaron Wade: "Intelligence without context is just data". You need to go back and ask for more information and not trust by default. OSINT can be good, but an internal investment in a threat intelligence team is still ideal. Any hop point monitoring should be done within the law. You should also should coordinate with other organizations hitting the same hop point. There was a repeated theme of a big boys club, develop sharing agreements with organizations that are mature. A major lessons learned is NOT to rush to attribution based on a single source. It is extremely hard to recover from bad intel reports. Its important to assign confidence ratings  to analysis to maintain credibility. You should be familiar with the Intelligence Gain/Loss Equation. How risk tolerant is your organization? Can they wait and see to derive more intel or do they adhere to the knee jerk approach.

     Mike Gordon presented "Building and Operating a Cyber Threat Intelligence Team". This was a very polished, well delivered presentation and it felt like it was one he had given to his leadership. I think its clear LM-CIRT is the team everyone wants to emulate. LM sees 1.75 Billion sensor events/day, 30 million emails/week, 1.2 million blocked web requests and holds 1 month of full  pcap and operates 572 facilities in 63 countries. There team is broken into 4 units: Investigations (Forensics, eDiscovery), Intrusions (APT, Intel Fusion), CyberCrime (Insider Threat, Commodity Attacks), and Engineering (IT Support). Their model includes Corporate Culture, User Education (Awareness, Training, Security Testing, Metrics, Analysis), Defendable Networks (Reduce gateways, infrastructure hardening, threat driven program), and Trade craft (Intel, Incident Response . They mock phish all 120K of their users, including the CEO. The 1st fail results in training and retesting. The 2nd fail results in a call with their management. The 3rd fail results in some form of HR discipline. I thought that was incredible and indicative of the executive support they have. At some point in their history, they concluded that vendor driven response wasn't good enough. Commercial offerings could not keep up with the pace of threats. They embraced creating their own custom tools. He coined the term memorializing indicators so you don't forget about them, their context and associated metadata. Track your attacks over time and the patterns can reveal a campaign. Intrusions expose behaviors, behaviors suggest linkages,  linkages reveal patterns, patterns inform actions, actions determine success. You can measure your success based on how much was stopped due to internal vs. external intel. To track work load, keep count on the number of intel reports that are processed per month. Three models presented were: Tsunami Warning (info sharing, intel consumption, group detection), Farmers Almanac (Campaign tracking, trending, forecasting), and  Actual Early Warning (LE & IC have actual knowledge of pending attack). I wish I had taken some pictures of his slides as they were chock full of good concepts and metrics. Hopefully they are shared out at some point.

     My favorite talk of the day was hands down, Reid Gilman's "Creating Threat Intelligence: Tools to Manage and Leverage Active Threat Intelligence". The company MITRE is a non-profit, dedicated to federal research. Reid works in MITRE's Cyber Threat Analysis Cell. Some of his keys to success are:
1 - CTI  Program - multi-sourced, disciplined warning process, know your enemy in your sector
2 - Strong Malware Analysis program
3 - Dev Ops - a staff of solid programmers, to create custom tools
4 - Incident Response baked into defensive posture aka Assumption of Breach
5 - Workforce culture of Security Awareness

CRITS(Collaborative Research Into Threats) - track adversary artifacts over time. The demo was very impressive, due to its feature set. This tool looks more user friendly then many others I have seen.(MongoDB)

ChopShop - understand how adversaries use tools. The demo included live decoding of gh0st c2 channel. Chopshop has standard libraries like timestamp extraction and XOR decoding for pcaps.
He mentioned that its important to not confuse operator actions vs automated actions.
TTPs: Targeting, Tools, Infrastructure, Kill Chain
Campaign: Intrusion Attempts + TTPs over time
(github - mitre-chopshop, crits@mitre.org, taxii.mitre.org, stix.mitre.org, mitre.org/work/cybersecurity, vortex-ids.org)

     Next was the panel "Delivering Actionable CTI as a Solution" with Bejtlich, Destefano, Meyers, Ramsey. Overall this was kind of a slow point in the day, as there wasn't as much energy or enthusiasm. Adam Meyers discussed analyzing and categorizing the human element of malware, such as coding techniques and use of language. It was mentioned that you need to measure the value of sources by how much it reduces your time to detect. John Ramsey had some axioms: "keeping them out is cheaper than getting them out" and "running a cybersecurity group without threat intelligence is like running a business without an income statement". Both of those hit home with me. And Richard Bejtlich had the best joke of the summit by offering to outsource intelligence to Mercyhurst Institute (see Jeff Carr debacle).

Most of the Sans 360 talks, weren't to substantial. And how could they be in 6 mins. My favorites were:

Attribution: Holy Grail or Waste. Billy Leonard covered critical aspects of attribution:

  • how they operate
  • who and how they target
  • what tools, order of use, how they customize
  • how the move laterally
  • when do they operate
  • how do they take your data
  • are they good? 
He also brought up the timely term "badtribution".

Exercising Analytic Discipline by Patton Adams. He didn't use any slides (Patton++). He discussed 5 key imperatives:
1 - relevance to business
2 - good communication channel with leadership
3 - Confidence - Investigate, Analyze, Don't repeat
4 - Clarity - write for your audience
5 - Timeliness - good intel, can't be late, create a template to be more efficient

Crowdsourcing Threat Intelligence - Adam Vincent, see Threatconnect.com. He did a nice walk through of how their business evolved.

Curating Indicators by Doug Wilson - "humans are always the limiting factor, you need to automate and empower"

Battlefield Intel - Anup Ghosh. Invincea looks promising as it runs certain app in virtual container and gathers indicators. I wish this would get integrated into AV and not require a separate agent.

Detection Timeline - Julie Ryan - She was hilarious and to the point. A good way to end the agenda.

Rob Lee and Mike Cloppert closed it out after this. They did a great job putting this together, and I'm glad I was able to attend.  I look forward to another future summit called APPLIED Cyber Threat Intelligence 2014.