@sjr - 20230706 Exploring Threat Intelligence Insights + Tools from Vertex Synapse 

YES THIS IS THE RIGHT WAY TO WRITE DATES!!! 20230706 

While I’m at it… AND GMT IS THE ONLY TIMEZONE!!!! 

Agenda Tell ‘em what you’re gonna tell ‘em… tell ‘em… tell ‘em what you told ‘em! • Me & Why You Should Listen to Me • The Briefest Intro to Threat Intelligence Imaginable • Synapse • Key Concepts • CRUD (actually RCUD) • Extras • A pile of homework to read later if you actually care… 

Who Am I Anyway? Scott Roberts • Head of Threat Research @ Interpres • Adjunct Prof & CTF Coach @ USU • Author, Developer, & CTI Bon Vivant • 20+ years Intrusion Detection, Incident Response, Cyber Threat Intel @ Symantec, Mandiant, GitHub, Apple, Splunk 

What is Threat Intelligence? 

Cyber Threat Intelligence Analysis More like Q than James Bond… What I Actually Do What My Boss Thinks I Do What My Mom Thinks I Do What My Coworkers Think I Do 

Cyber Threat Intelligence (For Real) I’m required to have actual, useful information… • A set of models, techniques, and procedures to develop an operational & strategic understanding of adversaries • Almost always decision support (which is just what it sounds like) • Help SOC Analysts Identify Intrusions • Help Incident Responders React E ff ectively to Intrusions • Help Leadership & Architects Plan Better for the Next Intrusion • Should be making everyone else’s life easier… 

What is Synapse? 

What is Synapse? It’s better than a spreadsheet… • Synapse is a versatile central intelligence and analysis system created to support analyst teams in every stage of the intelligence life cycle. • A hyper graph based data storage and manipulation layer. • Supports tons of integrations and automation. 

Synapse: Key Concepts Fix your brain… • Not a tool, not a database, more of a programming language • Nodes (Facts) vs Tags (Assessments) • Pivoting is Life! • Types of reasoning (if you want to be all philosophical…) 

Using Synapse 

Reading Aka Lifts. 

Creating Making new stu ff the same way you look up stu ff , but with [ ] 

Updating Just like creating, new stu ff in [ ] 

Updating Just like creating, new stu ff in [ ] 

Updating Just like creating, new stu ff in [ ] 

Updating Or use a secondary command… like | note.add 

Updating Or use a secondary command… like | note.add 

Updating Or use a secondary command… like | note.add 

Updating Or use a secondary command… like | note.add 

Updating Or use a secondary command… like | note.add 

Deleting Sometimes we make mistakes… 

Automation Making stu ff happen without making stu ff happen… • Macros: A macro is simply a stored Storm query / set of Storm code that can be executed on demand. • Cron: Within Synapse, cron jobs are used to create scheduled tasks, similar to the Linux/Unix “cron” utility. The task to be executed by the cron job is speci fi ed using the Storm query language. • Triggers: Within Synapse, a trigger is a Storm query that is executed automatically upon the occurrence of a speci fi ed event within a Cortex (such as adding a node or applying a tag). “Trigger” refers collectively to the event and the query fi red (“triggered”) by the event. 

Power-Ups Making data easy! • Power-Ups provide speci fi c add-on capabilities to Synapse via Storm Packages and Services. For example, Power-Ups may provide connectivity to external databases, third-party data sources, or enable functionality such as the ability to manage YARA rules, scans, and matches. • Can be built by hand, pulled from Synapse, or even added from 3rd parties. 

Synapse Optic $$$ 

In Closing… 

https://interpressecurity.com/ 

While I’m plugging stuff… bit.ly/idirv2 

Resources • https://synapse.docs.vertex.link/en/latest/ • https://sroberts.io/posts/getting-started-with-synapse/ • https://sroberts.io/posts/e ff ective-tagging-in-synapse/ • https://vertex.link/ 

Thanks & Questions