Community Intelligence & Open Source Tools

Slide 1

Slide 1 text

Community Intelligence & Open Source Tools Building an Actionable Pipeline

Slide 2

Slide 2 text

Intro

Slide 3

Slide 3 text

Me: Scott J Roberts @sroberts Han Solo is my Spirit Animal

Slide 4

Slide 4 text

What do CTI industry analysts say? "When it comes to eating @sroberts is a thought leader up & to the right on all quadrants!" ~ @rickhholland

Slide 5

Slide 5 text

DFIRing Since 2006 CTIing Since 2007 Deving Since 2009

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

The Problem We are spinning up considerable new telemetry using open source tools and we need to feed those tools with actionable intelligence.

Slide 9

Slide 9 text

The Other Problem

Slide 10

Slide 10 text

Pocket

Slide 11

Slide 11 text

Chat

Slide 12

Slide 12 text

Note Books

Slide 13

Slide 13 text

And all the other sources...

Slide 14

Slide 14 text

$$$$

Slide 15

Slide 15 text

So I did what anyone with a little Python experience does I built my own...

Slide 16

Slide 16 text

And I built my own again... And another time... In the end I built about 5 or 6...

Slide 17

Slide 17 text

They all sorta sucked... !

Slide 18

Slide 18 text

"I have not failed. I have found I've just found 10,000 ways that won't work." ~ Thomas Edison

Slide 19

Slide 19 text

‒ Direction

Slide 20

Slide 20 text

Breath vs. Depth

Slide 21

Slide 21 text

OSX, Linux, & GitHub centric threats

Slide 22

Slide 22 text

‒ Collection

Slide 23

Slide 23 text

Twitter Email Lists Feeds Ongoing Incidents Manual

Slide 24

Slide 24 text

‒ Exploitation

Slide 25

Slide 25 text

To Use a Technical Term Indicator Extraction sucks...

Slide 26

Slide 26 text

But we did it anyway...1 1 YOLO!!!

Slide 27

Slide 27 text

Jager & Caçador 2 2 Look it means hunter in Portuguese.

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Command $ pbpaste | cacador | jq '.[]'

Slide 30

Slide 30 text

Output

Slide 31

Slide 31 text

Tada!!!

Slide 32

Slide 32 text

‒ Analysis

Slide 33

Slide 33 text

Threat Note

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Enrichments Whois PassiveTotal Shodan VirusTotal

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

Maltego

Slide 43

Slide 43 text

Fast Incident Response

Slide 44

Slide 44 text

‒ Dissemination

Slide 45

Slide 45 text

Now Manual

Slide 46

Slide 46 text

Soon™ osquery & Bro Intelligence Chat with Hubot Intelligence Reports Application Integration

Slide 47

Slide 47 text

‒ Feedback

Slide 48

Slide 48 text

The Result

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

The (REAL) Result A (somewhat) automated system providing centralized threat data & intelligence management made up of a single source of truth supported by purpose built collection, processing, and analysis integrations.

Slide 51

Slide 51 text

Lessons

Slide 52

Slide 52 text

This isn't easy But parts are.

Slide 53

Slide 53 text

Threat Intel Tools Work When They're Integrated ~ collection | analysis | dissemination

Slide 54

Slide 54 text

High Value Investments Tool: Paterva Maltego ~ $760 Service: PassiveTotal ~ $?? Learning: Introducing Python ~ $33

Slide 55

Slide 55 text

Learn to Code

Slide 56

Slide 56 text

Unix Philosophy Small is beautiful Make each program do one thing well Portability over efficiency Store data in flat files Make every program a filter

Slide 57

Slide 57 text

Data formats matter less than format openness CSV & JSON

Slide 58

Slide 58 text

Perfect Is the Enemy Of Good

Slide 59

Slide 59 text

The Future: Scaling Up Collection & Storage Expanded Threat_Notes APIs & Integrations Reputation & Fuzzy Indicators

Slide 60

Slide 60 text

Links github.com/defpoint/threatnote github.com/certsocietegenerale/FIR github.com/sroberts/jager github.com/sroberts/cacador github.com/kbandla/APTnotes github.com/armbues/iocparser github.com/ivanlei/threatbutt

Slide 61

Slide 61 text

Thanks Threat Note: @brianwarehime FIR: @thomchop_ APTNotes: @kbandla Jager: @kylemaxwell, @kbandla, & @deadbits

Slide 62

Slide 62 text

Questions??? ~ @sroberts http://sroberts.github.io