Community Intelligence & Open Source Tools

Community Intelligence & Open Source Tools

My presentation on building a Threat Intelligence pipeline for Cyber Threat Intelligence at the SANS CTI Summit.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

February 03, 2016
Tweet

Transcript

  1. Community Intelligence & Open Source Tools Building an Actionable Pipeline

  2. Intro

  3. Me: Scott J Roberts @sroberts Han Solo is my Spirit

    Animal
  4. What do CTI industry analysts say? "When it comes to

    eating @sroberts is a thought leader up & to the right on all quadrants!" ~ @rickhholland
  5. DFIRing Since 2006 CTIing Since 2007 Deving Since 2009

  6. None
  7. None
  8. The Problem We are spinning up considerable new telemetry using

    open source tools and we need to feed those tools with actionable intelligence.
  9. The Other Problem

  10. Pocket

  11. Chat

  12. Note Books

  13. And all the other sources...

  14. $$$$

  15. So I did what anyone with a little Python experience

    does I built my own...
  16. And I built my own again... And another time... In

    the end I built about 5 or 6...
  17. They all sorta sucked... !

  18. "I have not failed. I have found I've just found

    10,000 ways that won't work." ~ Thomas Edison
  19. ‒ Direction

  20. Breath vs. Depth

  21. OSX, Linux, & GitHub centric threats

  22. ‒ Collection

  23. Twitter Email Lists Feeds Ongoing Incidents Manual

  24. ‒ Exploitation

  25. To Use a Technical Term Indicator Extraction sucks...

  26. But we did it anyway...1 1 YOLO!!!

  27. Jager & Caçador 2 2 Look it means hunter in

    Portuguese.
  28. None
  29. Command $ pbpaste | cacador | jq '.[]'

  30. Output

  31. Tada!!!

  32. ‒ Analysis

  33. Threat Note

  34. None
  35. None
  36. None
  37. None
  38. None
  39. Enrichments Whois PassiveTotal Shodan VirusTotal

  40. None
  41. None
  42. Maltego

  43. Fast Incident Response

  44. ‒ Dissemination

  45. Now Manual

  46. Soon™ osquery & Bro Intelligence Chat with Hubot Intelligence Reports

    Application Integration
  47. ‒ Feedback

  48. The Result

  49. None
  50. The (REAL) Result A (somewhat) automated system providing centralized threat

    data & intelligence management made up of a single source of truth supported by purpose built collection, processing, and analysis integrations.
  51. Lessons

  52. This isn't easy But parts are.

  53. Threat Intel Tools Work When They're Integrated ~ collection |

    analysis | dissemination
  54. High Value Investments Tool: Paterva Maltego ~ $760 Service: PassiveTotal

    ~ $?? Learning: Introducing Python ~ $33
  55. Learn to Code

  56. Unix Philosophy Small is beautiful Make each program do one

    thing well Portability over efficiency Store data in flat files Make every program a filter
  57. Data formats matter less than format openness CSV & JSON

  58. Perfect Is the Enemy Of Good

  59. The Future: Scaling Up Collection & Storage Expanded Threat_Notes APIs

    & Integrations Reputation & Fuzzy Indicators
  60. Links github.com/defpoint/threatnote github.com/certsocietegenerale/FIR github.com/sroberts/jager github.com/sroberts/cacador github.com/kbandla/APTnotes github.com/armbues/iocparser github.com/ivanlei/threatbutt

  61. Thanks Threat Note: @brianwarehime FIR: @thomchop_ APTNotes: @kbandla Jager: @kylemaxwell,

    @kbandla, & @deadbits
  62. Questions??? ~ @sroberts http://sroberts.github.io