$30 off During Our Annual Pro Sale. View Details »

AISA - Practical Threat Intelligence

Thomas Roccia
October 11, 2022

AISA - Practical Threat Intelligence

This presentation has been delivered during the CyberCon AISA in Melbourne. It talks about threat intelligence and open source technologies including OpenCTI, ELK and Jupyter.

Thomas Roccia

October 11, 2022

More Decks by Thomas Roccia

Other Decks in Science


  1. Practical Threat Intelligence How to Build Your Own Workflow Using

    Open Source to Monitor Modern Threats Thomas Roccia Sr. Security Researcher at Microsoft @fr0gger
  2. WHOAMI Thomas Roccia Sr. Security Researcher at Microsoft From France

    to Australia https://SecurityBreak.io @fr0gger_
  3. What will be covered? What is Threat Intelligence? How to

    deal with a huge amount of data? Overview of the LAB Introducing OpenCTI ElasticSearch for other data intelligence The power of Jupyter
  4. INFOBESITY Geopolitics Affiliates Nation-State

  5. What is Threat Intelligence? • Threat Intelligence is knowledge that

    allows you to prevent or mitigate cyberattacks. • Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like: • Who is attacking you? • What their motivations and capabilities? • What IOCs in your system to look for?
  6. Types of Intelligence Tactical •Malware analysis •Threat Indicators •Improve detection

    Operational •Adversarial capabilities •Infrastructure •TTPs Strategic •High level trends •Adversarial motives •Strategic decision SOC Analysts, SIEM, Endpoints, Detection Engineering Threat hunters, Incident Response, SOC Analysts CISO, CIO, CTO, Executives
  7. Threat Intelligence Process Collect & classify intelligence reports: • Advanced

    Persistent Threat, Threat Actors • Tactics, Techniques and Procedures • Vulnerability reports Define your requirements. Understand international relations and the geopolitical context.
  8. Threat Intelligence Process Collect & classify Indicators of Compromise (IOC):

    • Incident Response • Open-Source Intelligence (OSINT) • Threat Hunting Analyze & triage IOCs: • Malware and/or vulnerability analysis • Infrastructures mapping. New domains.
  9. Threat Intelligence Process Hunt & pivot for new attacks: •

    Create Yara, Sigma, Snort Rules • Identify code similarities • Search for infrastructure overlap & passive DNS • MassScanning to uncover new C2s • Set up honeypots • Get information from private sources Understand victimology: • Who/where are the targets? Which sectors? • Make the connections to past attacks. • Find a link with the geopolitical context.
  10. Threat Intelligence Process Share intelligence, dispatch IOCs, improve the knowledge

    base. Iterate & improve the process.
  11. Goal of the Lab Classify external threat reports and centralize

    the data Track IOCs and TTPS Analyze different kind of data, such as data leaks, OSINT… Empower analysts with ready to use tools Articulate everything and build your Threat Intel Practice
  12. Lab Overview OpenCTI ELK External Threat Reports Tracking Threat Actors

    TTPs Incident Response Feeds OSINT Data Leaks Other Data Jupyter Notebooks Data Analytics Malware Analysis Intelligence Analysis Analysts
  13. OpenCTI • OpenCTI is a French Open-Source project. • Used

    to classify and track threat actors • Can be used to document actors, campaigns, tools and more… • Modules can be easily added in Python for enrichment. • API available for automations. • OpenCTI - Open platform for cyber threat intelligence
  14. None
  15. None
  16. ELK For Ingesting data • The ELK stack is a

    powerful tool to analyse data. • The data can be ingested via LogStash. • Kibana is used for creating dashboards and visualisation. • ELK can be useful for all kind of data analysis. • Data Leaks • Detection Logs • Monitoring • Anything else Data Logstash Elasticsearch Kibana Data Processing Storage Visualization *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.
  17. Practical Example ELK With Malware Bazaar • Malware Bazaar is

    an open malware database • It helps provides an overview of the data. • Daily samples are uploaded and analysed by the community
  18. None
  19. Jupyter Lab • JupyterLab is a web-based interactive development environment

    for notebooks, code, and data. • It is a great tool to share your code with others. • It can be used to create workflows and procedures.
  20. Jupyter to ELK

  21. Analyzing the data with Jupyter

  22. MSTICpy Querying log data from multiple sources Machine learning analysis

    Extracting Indicators of Activity (IOA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines; process trees and multidimension Morph Charts Enriching data with TI, geolocalisation…
  23. MSTICpy Enrichment

  24. Take Away The amount of information available can be overwhelming.

    Threat Intelligence is the process of sorting and making sense of all the data. Threat Intelligence requires trained people. Open-source technologies can help and bolster your teams during investigation and analysis. Centralised platforms are great for getting a common knowledge base. Python and Jupyter empowers analysts and make sense of the stored data.
  25. Resources • https://www.opencti.io/ • https://www.elastic.co/what-is/elk-stack • https://jupyter.org/ • https://msticpy.readthedocs.io/ •

    https://bazaar.abuse.ch/ • https://www.flaticon.com/ • https://www.sans.org/tools/the-pyramid-of-pain/
  26. THANK YOU Thomas Roccia @fr0gger