The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.
This year’s SANS CTI Summit was my first security conference ever. And I loved it. It was a chance to meet great people, absorb new ideas, and engage in stimulating discussions–both in and out of the conference hall–about threat intelligence.
I wanted to compile a list of my favorite threat intelligence tweets and Twitter discussion from 2015. I simply scrolled through all of my “likes” and pulled out my favorite ones. So here they are!
BLUF: The “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.
The week hasn’t even come to a close yet, and there has been a flood of highly interesting reporting that has been released. Some of this reporting may be relevant to your organization and information needs. Here are the reports I’ve come across:
- The Black Vine APT (Symantec)
- HAMMERTOSS Malware (FireEye)
- An Organizational Overview of Unit 61398/APT1 (Project 2049)
- Cisco Midyear Security Report (HP. Just kidding. It’s from Cisco.)
- Operation Potao Express (ESET)
Any one of these reports could take a while to process as analysts work to answer several important questions: is this threat relevant to my organization? If so, how to I action the information in this report? What detection logic can my teams develop for this threat?
With so much great reporting coming out, prioritizing analytic resources to exploit the information becomes really important (especially in smaller shops).
I’ve personally managed to tackle a couple of these, but it looks like I’ve got a great reading list for the weekend : )
BLUF: The report Threat Intelligence: Collecting, Analyzing, Evaluating is a must-read and accomplishes what Threat Intelligence For Dummies pretended to.