All The Rosetta Stones!

The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.

Continue reading →

What Analysts Can Learn From Shadowserver’s “Italian Connection” Report

BLUF: The  “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.

Continue reading →

It’s a Great Week for Threat Intel Reporting

The week hasn’t even come to a close yet, and there has been a flood of highly interesting reporting that has been released. Some of this reporting may be relevant to your organization and information needs. Here are the reports I’ve come across:

Any one of these reports could take a while to process as analysts work to answer several important questions: is this threat relevant to my organization? If so, how to I action the information in this report? What detection logic can my teams develop for this threat?

With so much great reporting coming out, prioritizing analytic resources to exploit the information becomes really important (especially in smaller shops).

I’ve personally managed to tackle a couple of these, but it looks like I’ve got a great reading list for the weekend : )