Sharing is Caring: Sharing Threat Intelligence Notebook Edition

Transcript

1. View Slide

2. View Slide

3. My experience with Jupyter
   What is Threat Intelligence?
   How Jupyter notebooks can be applied
   in Threat Intelligence
   Practical examples and tips & tricks
   

   View Slide

4. Sharing knowledge is not about
   giving people something.
   Sharing knowledge occurs when people
   are genuinely interested in helping
   others to develop new capacities.
   It is about creating
   learning processes.
   - Peter Senge -
   

   View Slide

5. Started using Jupyter in 2017
   Learning machine learning for
   malware detection and classification
   Using notebooks to document my
   processes and code
   

   View Slide

6. What activity are we
   seeing?
   Observable
   What weaknesses does
   this threat exploit?
   Exploit Target
   What threats should I
   look for and why?
   Indicator
   Where has this threat
   been seen before?
   Incident
   Who is responsible for
   this threat?
   Threat Actor
   What does it do?
   Procedure
   Why does it do this?
   Campaign
   What can I do about it? Course of
   Action
   

   View Slide

7. By exchanging threat intelligence, organizations benefit from the
   community’s collective knowledge, experience, and capabilities to
   better understand the threats they face.
   Threat intelligence sharing is a critical tool for the cybersecurity
   community.
   It takes the knowledge of one organization and spreads it across
   the entire industry to improve all security practices.
   

   View Slide

8. Python, C#, C++ and many more... Use for data analysis and data
   science
   Efficient for incident response,
   log analysis, forensics...
   Threat intelligence analysis,
   analyse data leaks
   Enriching data, IOCs... Creating visualizations
   

   View Slide

9. Jupyter allows to exchange knowledge and practical analysis
   Share workflow and procedure to analyse
   Share practical tools that can be reused
   Enhance the capabilities of the team
   

   View Slide

10. https://jupyter.securitybreak.io/vt_domain_hunting/VT_Domain_hunting.html
    

    View Slide

11. View Slide

12. https://jupyter.securitybreak.io/strings_similarity/Strings_Extraction.html
    

    View Slide

13. https://jupyter.securitybreak.io/ELK_Threat_Hunting/ELK_Threat_Hunting.html
    

    View Slide

14. https://jupyter.securitybreak.io/Conti_Leaks_Analysis/Conti_Leaks_Notebook_TR.html
    

    View Slide

15. Add setup instructions Get to know well your data
    (structure, file format... )
    Have a broader understanding
    before deep diving
    Share your notebook with your
    team, the community
    Document what you are
    doing and your code
    Use visualization
    Get feedback and improve your
    next notebook!
    

    View Slide

16. Run a command from Jupyter using "!" or magic command using "%"
    Using the "%%writefile" magic saves the contents of that cell to an external file.
    
    
    "%pycat" does the opposite, and shows the syntax highlighted contents of an external file.
    

    View Slide

17. https://jupyter.securitybreak.io
    

    View Slide

18. Sharing data is nice, sharing how to process that data is
    better!
    Jupyter is the perfect companion for workflow and high
    value procedures.
    Notebooks are repeatable, explainable and most of all
    shareable.
    

    View Slide

19. View Slide