Source: DefCamp Archives
Threat Intelligence! It’s a hot topic in information security news, and right now, you’ve probably got several vendors trying to sell you their latest and greatest solution. Whether you purchase intel from companies like Crowdstrike or you leverage open source threat lists, you end up with millions of IoCs that are not relevant for your environment or organization. However, in an effort to migrate from Security Operations Centers to Security Intelligence Centers, threat intelligence represents a critical aspect of a proactive approach towards tackling actors in the current information security landscape.
What if you could generate high-value threat indicators that were directly applicable to your organization, without dishing out any extra money? What if you could generate all those indicators using only what you already had in place at your organization? And finally, what if setting up this whole process only took you about a day to complete?
This talk will describe how to use IDS data ingested into Splunk to generate high-integrity threat intelligence. We will then discuss how to correlate those indicators with connection logs to identify communications with those actors who have previously attacked your systems. Finally we will discuss how to generate historical profiles about each actor in order to better understand the evolution of their techniques, tactics and procedures and how to automagically store those indicators to generate threat activity alerts in the future. As a bonus, we will show you how to build an eye-catching intelligence report for management.