Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Most Dangerous Game
Search
Scott J. Roberts
February 03, 2015
Technology
5
5.3k
The Most Dangerous Game
A presentation about merging Threat Intelligence and DFIR by the team behind YoloThre.at.
Scott J. Roberts
February 03, 2015
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
LLM SATs FTW
sroberts
0
480
STRAT - A System-Centric Approach to Cyber Resilience
sroberts
0
23
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
120
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
110
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
73
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
51
Homemade Ramen & Threat Intelligence
sroberts
2
550
Introduction to Open Source Security Tools
sroberts
3
4.9k
Building Effective Threat Intelligence Sharing
sroberts
1
120
Other Decks in Technology
See All in Technology
NewSQLや分散データベースを支えるRaftの仕組み - 仕組みを理解して知る得意不得意
hacomono
PRO
3
230
ABEMAの本番環境負荷試験への挑戦
mk2taiga
5
1.2k
“日本一のM&A企業”を支える、少人数SREの効率化戦略 / SRE NEXT 2025
genda
1
240
対話型音声AIアプリケーションの信頼性向上の取り組み
ivry_presentationmaterials
3
850
毎晩の 負荷試験自動実行による効果
recruitengineers
PRO
5
170
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
mizutani
4
1.6k
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
220
伴走から自律へ: 形式知へと導くSREイネーブリングによる プロダクトチームの信頼性オーナーシップ向上 / SRE NEXT 2025
visional_engineering_and_design
3
430
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
bitkey
1
390
CDK Vibe Coding Fes
tomoki10
1
610
[SRE NEXT] ARR150億円_エンジニア140名_27チーム_17プロダクトから始めるSLO.pdf
satos
5
2.7k
セキュアなAI活用のためのLiteLLMの可能性
tk3fftk
1
300
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Side Projects
sachag
455
42k
Rails Girls Zürich Keynote
gr2m
95
14k
Into the Great Unknown - MozCon
thekraken
40
1.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Facilitating Awesome Meetings
lara
54
6.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Transcript
The Most Dangerous Game Hunting Adversaries Across the Internet
Kyle Maxwell Super Special Security Researcher @ iDefense
Scott J Roberts Advanced Persistent Incident Responder @ GitHub
How Kyle met Scott or How Scott met Kyle
If you are on the Twitter we’re @kylemaxwell & @sroberts
#YOLOTHREAT
Intelligence Concepts That everyone knows and already agrees on right…?
Data vs Intelligence Intelligence has gone through the intelligence process
Data is a raw piece of information without context
Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle
F3EAD While… Find Exploit Finish Disseminate Fix Analyze
The Target
What is Targeting? Making a plan for focusing threat research
& investigation
Targeting Methodologies Actor Centric ~ Target Centric ~ Technology centric
Feeds Needles in Haystacks
“My 5.4 gazillion indicators can beat up your threat indicators.
Garbage in garbage out #ThreatIntel ~ Rick Holland
Honeypots Bringing the Bad Guys to You
Low vs High Interaction High interaction honeypots are a risky
& complicated way to generate high quality intelligence Low interaction honeypots are an easy way to get low value intel on commodity threats
Software Old School: HoneyNet Project New Hotness: Modern Honey Network
by Threat Stream
Vulnerability Information Taking care of your Toys
“Structured vulnerability analysis is not threat intelligence it is requirements
gathering for threat intelligence. ~ @selil
Vendor Information Blogs ~ Reports ~ Services & APIs
Personal Aside to Vendors If you’re going to release a
report, blog post, etc: do not break the Cut and Copy Actions
None
Review Your Own Incidents Mine that fancy Incident Management System…
Review Your Others Incidents By sharing or News mining
The Hunt
What to Analyze Technical Sources
What to Analyze: Hashes Reversing: • C2 info • Developer
artifacts Sources: • VxShare • VirusTotal • malwr.com
What to Analyze: Passive DNS • Single most useful tool
for infrastructure research • What resolved to what, and when? • DNSDB (Farsight), PassiveTotal, VirusTotal
What to Analyze: Whois • Tougher to Acquire • WhoDat
etc for ongoing Tracking
What to Analyze Actors
What to Analyze: Criminal • Primary Weapon: Google • Social
Media (Twitter, Facebook) • Underground forums?
What to Analyze: Espionage • This is hard • Malware
& System artifacts • whois/registrar data • actions over target
How to Keep Tracking
Threat Library • CRITs is popular, MISP also • Lighter
solutions often work • Market hasn't fully addressed this
Web Monitoring Systems • Netflix Scumblr Meta SearcH (Works alongside
Sketchy) • Recorded Future • Lots of custom development
Malware Monitoring • VirusTotal is • Malware feeds with Lots
of custom internal solutions • Maltrieve, Viper, & Cuckoo
Internal Logging • Firewall, IDS, & Proxy • Web, mail,
& DNS • Authentication & Audit
The “Kill”
Incident Response The Entire Goal… Right?
The Imitation Game Don’t let them know that you know
that they know…
Attribution Probably doesn’t matter unless you can do this
Hand Cuffs or Cruise Missiles
KICK ‘EM OUT NOW! Sometimes it’s better to watch for
a while
Intel Driven Responses deny Deceive ⁉️ degrade ⁉️ disrupt ⁉️
Destroy ‼️
Communication Who can make use of this information? ~ Who
might be able to provide additional intel?
The Hunting Stories
Products IOCs & RFIs ~ Short Form Products ~ Long
Form Products
Audience Internal - Team Internal - Organization External - Peers
External - Wide
IOCs - Generalized Stix & OpenIOC
“you pretty much need a PHD in XML to understand
either STIX or TAXII ~ Jeff Bryner
XKCD.com/927
IOCs - Specialized Yara: Malware centric av signature style IOCs,
getting more advanced Snort: Go to for network activity, Comprehensive and well supported
“OH: "Yara is an antivirus that you update using git
pull" ~ @tomchop_
Requests For Intelligence A Q/A requesting very specific Intelligence ~
Shortest form Possible ~ Fastest turn around
Short Form Products Intermediate products to support incident response ~
Focus on actionable Information
Long Form Products Comprehensive “All Source” intelligence products ~ Requires
considerable Time & a well rounded team
The Surprise…
You Can’t Download a Threat Intelligence Until now….
The Surprise Coming out of Stealth Today, our new Startup…
YOLOTHRE.At
Announcement yolothre.at has run out of runway (We used up
our whole Starbucks Gift Card) SO we’re open sourcing everything and going back to our old jobs...
YoloThre.at A collection of open source docker containers for Threat
Intel
Including Maltrieve Malware Collection Combine Threat Feed Aggregator Scumblr Social
Network Collection CRITs Intel Collection System MISP Malware Analysis Hub ELK Log Analysis Viper Malware Zoo System Thug Website Collection Tool Yara Malware Identification
Review
Review The Target The Hunt The “Kill” The Hunting Stories
Questions?
Thanks
None