A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Continue reading →

All The Rosetta Stones!

The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.

Continue reading →

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence)

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Continue reading →

An Important Internal Intelligence Source to Add to Your Collection Plan

Earlier this week Scott Roberts provided a useful list of intelligence collection sources for threat intelligence and security teams. His list included:

– Internal incident data
– Honeypots & the like
– Vendor reports
– Sharing communities
– Free IOC feeds
– Paid IOC feeds

I like this list because it covers automated machine-based collection—internal data, honeypots, and IOC feeds—and analyst-based, human collection: vendor reports and sharing communities. Analysts have to critically read and process reports and must dedicate time to developing external relationships, building trust. These tasks cannot be automated.

Similar to these “analyst-based” sources (which I suppose we could call, but which I’ll refrain from calling, HUMINT), I would add an additional source: internal IT and IT security staff.

Continue reading →

Strategic Threat Intelligence: Communicating to Non-Technical Audiences

In a recent article in War on The Rocks, More Art Than Science: Intelligence and Technical Topics, authors  Brian Holmes and Max Greenlee write about communicating technical intelligence subjects to policymakers.

Scientific and technical intelligence analysts thus face the great challenge of quickly, effectively, and clearly conveying information to policymakers. – Brian Holmes and Max Greenlee

Continue reading →

Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading →

A Simple Model For Cyber Threat Targeting

BLUF: There are too many threats, and not enough time. Analysts must therefore prioritize their time on threats that are relevant to their organizations — they must be deliberate about targeting, the process of identifying and focusing on the threats that matter. While many analysts intuitively know what are and are not relevant threats, it’s still helpful to have a simple model to guide such targeting and serve as a repeatable and transparent methodology. Models presented in both a Carnegie Mellon report  (page 8) and a talk from Rick Holland (slide 23) can be adapted as simple frameworks to aid in Cyber Threat Targeting.

Continue reading →