Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Community Intelligence & Open Source Tools

Scott J. Roberts
February 03, 2016
Technology
5
1.2k

Community Intelligence & Open Source Tools

My presentation on building a Threat Intelligence pipeline for Cyber Threat Intelligence at the SANS CTI Summit.

Scott J. Roberts

February 03, 2016
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
67
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
490
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
110
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Crisis Communication for Incident Response
sroberts
1
320

Other Decks in Technology

See All in Technology
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
920
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
280
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
AIチャットボット開発への生成AI活用
ryomrt
0
170
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
580

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Fireside Chat
paigeccino
34
3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
For a Future-Friendly Web
brad_frost
175
9.4k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Side Projects
sachag
452
42k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
What's new in Ruby 2.0
geeforr
343
31k

Transcript

  1. Community Intelligence & Open Source Tools Building an Actionable Pipeline

  2. Intro

  3. Me: Scott J Roberts @sroberts Han Solo is my Spirit

    Animal

  4. What do CTI industry analysts say? "When it comes to

    eating @sroberts is a thought leader up & to the right on all quadrants!" ~ @rickhholland

  5. DFIRing Since 2006 CTIing Since 2007 Deving Since 2009

  6. None
  7. None

  8. The Problem We are spinning up considerable new telemetry using

    open source tools and we need to feed those tools with actionable intelligence.

  9. The Other Problem

  10. Pocket

  11. Chat

  12. Note Books

  13. And all the other sources...

  14. $$$$

  15. So I did what anyone with a little Python experience

    does I built my own...

  16. And I built my own again... And another time... In

    the end I built about 5 or 6...

  17. They all sorta sucked... !

  18. "I have not failed. I have found I've just found

    10,000 ways that won't work." ~ Thomas Edison

  19. ‒ Direction

  20. Breath vs. Depth

  21. OSX, Linux, & GitHub centric threats

  22. ‒ Collection

  23. Twitter Email Lists Feeds Ongoing Incidents Manual

  24. ‒ Exploitation

  25. To Use a Technical Term Indicator Extraction sucks...

  26. But we did it anyway...1 1 YOLO!!!

  27. Jager & Caçador 2 2 Look it means hunter in

    Portuguese.
  28. None

  29. Command $ pbpaste | cacador | jq '.[]'

  30. Output

  31. Tada!!!

  32. ‒ Analysis

  33. Threat Note

  34. None
  35. None
  36. None
  37. None
  38. None

  39. Enrichments Whois PassiveTotal Shodan VirusTotal

  40. None
  41. None

  42. Maltego

  43. Fast Incident Response

  44. ‒ Dissemination

  45. Now Manual

  46. Soon™ osquery & Bro Intelligence Chat with Hubot Intelligence Reports

    Application Integration

  47. ‒ Feedback

  48. The Result

  49. None

  50. The (REAL) Result A (somewhat) automated system providing centralized threat

    data & intelligence management made up of a single source of truth supported by purpose built collection, processing, and analysis integrations.

  51. Lessons

  52. This isn't easy But parts are.

  53. Threat Intel Tools Work When They're Integrated ~ collection |

    analysis | dissemination

  54. High Value Investments Tool: Paterva Maltego ~ $760 Service: PassiveTotal

    ~ $?? Learning: Introducing Python ~ $33

  55. Learn to Code

  56. Unix Philosophy Small is beautiful Make each program do one

    thing well Portability over efficiency Store data in flat files Make every program a filter

  57. Data formats matter less than format openness CSV & JSON

  58. Perfect Is the Enemy Of Good

  59. The Future: Scaling Up Collection & Storage Expanded Threat_Notes APIs

    & Integrations Reputation & Fuzzy Indicators

  60. Links github.com/defpoint/threatnote github.com/certsocietegenerale/FIR github.com/sroberts/jager github.com/sroberts/cacador github.com/kbandla/APTnotes github.com/armbues/iocparser github.com/ivanlei/threatbutt

  61. Thanks Threat Note: @brianwarehime FIR: @thomchop_ APTNotes: @kbandla Jager: @kylemaxwell,

    @kbandla, & @deadbits

  62. Questions??? ~ @sroberts http://sroberts.github.io