Skip to main content

Threat Intelligence Learning Plan

So over the last few years, there seems to be a trend of non-DIB companies starting to build internal threat intelligence teams and a big spike in security companies offering it as a subscription service. Ten years ago a paid service got you vulnerability alerts, some open source geopolitical information, and dated commodity botnet information. This space has matured quite a bit, even though some providers are simply repackaging free indicator feeds and CVEs as threat intelligence. I think the value proposition is there by using intelligence to reduce the dwell time of an adversary and potentially on good day thwarting the attacks from the start. I think the formation of strong, sector specific intelligence sharing groups will be key to being better defenders. Having had access in the past to great intelligence via clearances, I know what a huge advantage it is. Hence my strong interest in the subject. At the same time, I have little traditional intelligence analysis experience. Most of what I do is usually indicator centric. Harvest, hunt, rinse and repeat. What I am listing below are some things I would be interested in learning in the format of a pseudo-conference.

Collect
CIF(Collective Intelligence Framework) Workshop - Building and Integrating into Splunk - Kyle Maxwell
MITRE Analyst for a Day - Deploying & Leveraging STIX, CRITS, ChopShop, CybOX, MAEC, CAPEC, TAXII - Reid Gilman
Diggity Workshop - Monitoring the Interwebs for Company Leaks - Stach & Liu
Mining Chinese Media for Intel Gold - Aaron Wade
Building and Safely Maintaining a CyberPersona - iDefense - Yes I used the term Cyber
Intel Provider 360 - Each intel subscription provider has 6 mins to make the case as to why they are the best
Business DevOps - Case Study on getting business buy-in on sharing M&A, divestitures, JV, etc information with IT Security - Has anyone ever done this?
All UR C2 Belong 2ME - Effective Decoding & Monitoring of CN APT Command & Control - Joe Stewart
Automating Collection of APT malware from Public Sandboxes - Wesley McGrew

Analyze
Prickly Panda - How we build behavior-based attribution - Adam Meyers
Night Dragon Redux - Current TTPs of groups targeting the Energy Sector - Dmitri Alperovich
Intel Fusion Lockheed Style - Finding and tracking Campaigns - Mike Cloppert
Conducting Effective Intelligence Analysis - Richards Heuer
The Advanced Non-Chinese Threat - Survey of RU, IR, IL, KP Activity - Patton Adams
Don't be a victim of Badtribution - Billy Leonard
Burning Sykipot - Jaime Blasco
APT1 Where are they now? - Doug Wilson
How a journalist does research and attribution - Brian Krebs

Disseminate
The Making of "The Report" - Mandiant
CEO Round table - What I want in an intelligence team & report - Moderator - Richard Bejtlich

Counter Intelligence
Deceptions Operations - Fooling the Adversary - PaulDotCom
Honeypots that Sting - Alexey Sintsov
Maintaining OPSEC during an incident - Bamm Visscher

Dox2Pwn - Winner of this contest has made the best new attribution as voted by peers of an individual CN PLA or PLA-sponsored computer network operator

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...