Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
In the Lair of the Beholder
Search
Kyle Maxwell
July 08, 2015
Technology
0
100
In the Lair of the Beholder
Kyle Maxwell
July 08, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
Using Python to Fight Cybercrime
krmaxwell
2
220
Incident Patterns
krmaxwell
0
430
Hackertainment
krmaxwell
1
230
Threat Intelligence for Incident Response
krmaxwell
0
180
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
210
Open Source Threat Intelligence - Shakacon
krmaxwell
1
890
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
160
Other Decks in Technology
See All in Technology
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
3
20k
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
2.8k
ストレージエンジニアの仕事と、近年の計算機について / 第58回 情報科学若手の会
pfn
PRO
3
660
Linux カーネルが支えるコンテナの仕組み / LF Japan Community Days 2025 Osaka
tenforward
1
120
ローカルLLMとLINE Botの組み合わせ その2(EVO-X2でgpt-oss-120bを利用) / LINE DC Generative AI Meetup #7
you
PRO
1
150
「最速」で Gemini CLI を使いこなそう! 〜Cloud Shell/Cloud Run の活用〜 / The Fastest Way to Master the Gemini CLI — with Cloud Shell and Cloud Run
aoto
PRO
1
170
AIとともに歩んでいくデザイナーの役割の変化
lycorptech_jp
PRO
0
840
Zephyr(RTOS)にEdge AIを組み込んでみた話
iotengineer22
1
320
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
5
43k
初めてのDatabricks Apps開発
taka_aki
1
280
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.2k
[2025年10月版] Databricks Data + AI Boot Camp
databricksjapan
1
250
Featured
See All Featured
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Code Reviewing Like a Champion
maltzj
526
40k
Agile that works and the tools we love
rasmusluckow
331
21k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
How GitHub (no longer) Works
holman
315
140k
Stop Working from a Prison Cell
hatefulcrawdad
272
21k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
34
2.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
Making Projects Easy
brettharned
120
6.4k
A better future with KSS
kneath
239
18k
Transcript
In the Lair of the Beholder Kyle Maxwell @kylemaxwell
[email protected]
How this got started “Beholder” is Product Identity of Wizards
of the Coast
External IOCs How to look? • Blacklists • WHOIS •
Search engine automation • Malware repositories
OSINT is a lot like this
Blacklists Check popular “threat intel data feeds” using Combine plus
Flail https://github.com/mlsecproject/combine https://github.com/krmaxwell/flail Games Workshop
WHOIS Registration of domains relevant to brand or organization name
http://modernfarmer.com/2013/06/cowglyphics-decoding-cattle-brands/
Search Engine Automation Custom Search Engine for paste sites Google
Alerts for key email addresses (executives, honeytokens, etc.)
Malware Repositories YARA: “The pattern matching swiss knife” http://plusvic.github.io/yara/ “Antivirus
that you update using git pull” ~ @tomchop_
YARA Example (super naïve) rule verisign_email { strings: $email_domain =
"@verisign.com" $common_email = "CPS-requests" condition: $email_domain and not $common_email }
Automation “Scumblr is a web application that allows performing periodic
searches and storing / taking actions on the identified results.” https://github.com/Netflix/Scumblr
Lesson: Start off simple
Lesson: Evolve or die
Lesson: Work with others Professionals can usually provide richer details.
Discussion Thanks! @kylemaxwell
[email protected]