about me 

really sucked at school 

Age 12 18 14 16 work experience 20 * 

No content

time to regroup 

- Enrol in IT Program at NSCC - Get job with NSCC - Design and Build their first Security Monitoring Infrastructure - Deploy to 21 locations (13 campuses) throughout the province The Plan*: * OK, not really at all but incredibly that’s how it played out 

No content

No content

No content

open source developer 

open source contributor 

working for a really cool company 

Next-generation, Deployable Defensive Cyberspace Operations (DCO) Infrastructure (DDI) prototype kits for Cyber Protection Teams (CPTs) * 

moon shot ~1 year No VC $ 

No content

Beginners Guide to OSINT paul halliday | AtlSecCon Halifax | April 2016 

So what is threat intelligence? 

in the beginning, there was a whole lotta nothing 

good guys 

bad guys 

threat intel provider 

Take 1 Data 

No content

No content

Source: iSIGHT Partners - What is Cyber Threat Intelligence and why do I need it? what we really care about 

“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Source: Gartner - Defini[on: Threat Intelligence Threat Intelligence: 

= = Take 2 More Data 

No content

Take 3 Narrative 5 KM = = ETA 5min 

No content

= = data intel but, add a narrative and URL IP FILEHASH DOMAIN USER EMAIL CERTHASH IOCs (by themselves) are just data 

Source: David Bianco Indicators of Compromise (IOCs) The Pyramid of Pain “..knowledge about adversaries and their motivations, intentions, and methods..” refactoring effort = 

types of OSINT 

specific threats numerous trackers 

No content

No content

No content

No content

No content

No content

No content

generic bad 

Community Votes 

non-specific threat (or perhaps no threat at all) Exit Nodes 

some carry more weight than others many types, but keep in mind meaningful metadata little or no metadata 

stay calm. more importantly though: threat indicators are not signatures 

a simple use case 

DNS Blackhole google.ca facebook.com cbc.ca badplace.ru reallybadplace.nl twitter.com cnn.com …. ? domains limitations 1. http:/ /dropbox.com/evilpayload.exe.txt 2. http:/ /95.28.37.16/evilpayload.exe.txt 3. http:/ /reallybadplace.nl/evilpayload.exe.txt (indicators) 

a more advanced use case 

DNS Log HTTP Log Connection Log SSL Log SMTP Log Files Log …..? The Bro Network Security Monitor Logging Framework 

01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101 01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http:/ /malwaredomains.com/files/domains F - intel metadata args type Wow. More logs.. Now what? 

Timestamp UID* Origin Response Indicator Type Where Sources super important 

multiple log matches 1. connection log shows the protocol 2. intel log shows a bad IP address 3. ssh log shows an authentication failure 1 2 3 Timestamp UID* If we follow the UID from the intel hit, what do we see? 

https:/ /intel.criticalstack.com Free!