Tag Archives: Threat Intel

DefCamp 2016 – THREAT INTELLIGENCE! DIY!

Source: DefCamp Archives

Threat Intelligence! It’s a hot topic in information security news, and right now, you’ve probably got several vendors trying to sell you their latest and greatest solution. Whether you purchase intel from companies like Crowdstrike or you leverage open source threat lists, you end up with millions of IoCs that are not relevant for your environment or organization. However, in an effort to migrate from Security Operations Centers to Security Intelligence Centers, threat intelligence represents a critical aspect of a proactive approach towards tackling actors in the current information security landscape.

What if you could generate high-value threat indicators that were directly applicable to your organization, without dishing out any extra money? What if you could generate all those indicators using only what you already had in place at your organization? And finally, what if setting up this whole process only took you about a day to complete?

This talk will describe how to use IDS data ingested into Splunk to generate high-integrity threat intelligence. We will then discuss how to correlate those indicators with connection logs to identify communications with those actors who have previously attacked your systems. Finally we will discuss how to generate historical profiles about each actor in order to better understand the evolution of their techniques, tactics and procedures and how to automagically store those indicators to generate threat activity alerts in the future. As a bonus, we will show you how to build an eye-catching intelligence report for management.

Advertisements

Leave a comment

Filed under Conference, Events, InfoSec, Talks

Bryson LOUGHMILLER – Speaker @ DefCamp #7

Bryson Loughmiller received his Master of Information Systems Management degree with an emphasis in Information Security from Brigham Young University. For the past year and a half, he’s enjoyed working at Adobe as an Information Security Analyst/Engineer, where he works to correlate large amounts of data in an effort to catch and stop threats. He is an avid Splunk-er, amateur Python-er, and has broken his fair share of VMs while experimenting with systems. Bryson also co-developed MarcoPolo, an open source system (to be released) for phishing prevention and workforce training against social engineering. https://www.linkedin.com/in/brysonloughmiller 

Threat Intelligence! DIY!

Co-Presenter is Daniel Barbu, Adobe – Lead, Information Security Engineer.

Threat Intelligence! It’s a hot topic in information security news, and right now, you’ve probably got several vendors trying to sell you their latest and greatest solution. Whether you purchase intel from companies like Crowdstrike or you leverage open source threat lists, you end up with millions of IoCs that are not relevant for your environment or organization. However, in an effort to migrate from Security Operations Centers to Security Intelligence Centers, threat intelligence represents a critical aspect of a proactive approach towards tackling actors in the current information security landscape. What if you could generate high-value threat indicators that were directly applicable to your organization, without dishing out any extra money? What if you could generate all those indicators using only what you already had in place at your organization? And finally, what if setting up this whole process only took you about a day to complete? This talk will describe how to use IDS data ingested into Splunk to generate high-integrity threat intelligence. We will then discuss how to correlate those indicators with connection logs to identify communications with those actors who have previously attacked your systems. Finally we will discuss how to generate historical profiles about each actor in order to better understand the evolution of their techniques, tactics and procedures and how to automagically store those indicators to generate threat activity alerts in the future. As a bonus, we will show you how to build an eye-catching intelligence report for management.

Read more…

Leave a comment

Filed under InfoSec, Talks

Speaker @ DefCamp #7

Daniel BARBU is a Ph.D candidate in the field of Information Security who brings passion into his daily tasks. He enjoyed learning and growing while working at Electronic Arts, Dell Secureworks and now Adobe. As a member of OWASP Bucharest Chapter and RAISA (Romanian Association for Information Security Assurance) , Daniel is constantly seeking opportunities to popularize information security. On a personal note, he feels he owes his accomplishments to his wife and kid. Daniel is currently leading a team at Adobe Systems Romania where he focuses on the growth of the team members’ skill set.

Threat Intelligence! DIY!

Co-Presenter is Bryson Loughmiller, Information Security Engineer at Adobe.

Threat Intelligence! It’s a hot topic in information security news, and right now, you’ve probably got several vendors trying to sell you their latest and greatest solution. Whether you purchase intel from companies like Crowdstrike or you leverage open source threat lists, you end up with millions of IoCs that are not relevant for your environment or organization. However, in an effort to migrate from Security Operations Centers to Security Intelligence Centers, threat intelligence represents a critical aspect of a proactive approach towards tackling actors in the current information security landscape.

What if you could generate high-value threat indicators that were directly applicable to your organization, without dishing out any extra money? What if you could generate all those indicators using only what you already had in place at your organization? And finally, what if setting up this whole process only took you about a day to complete?

This talk will describe how to use IDS data ingested into Splunk to generate high-integrity threat intelligence. We will then discuss how to correlate those indicators with connection logs to identify communications with those actors who have previously attacked your systems. Finally we will discuss how to generate historical profiles about each actor in order to better understand the evolution of their techniques, tactics and procedures and how to automagically store those indicators to generate threat activity alerts in the future. As a bonus, we will show you how to build an eye-catching intelligence report for management.

Read more…

Leave a comment

Filed under InfoSec, Talks

Migration of a SOC to SIC Security Operations Center vs. Security Intelligence Center The use of Honeypots for Threat Intelligence.

Authors: Ionut – Daniel BARBU & Cristian PASCARIU

Published: SRAC CCF 2016 

Abstract

The purpose of this paper is to emphasize the advantages of transitioning from the classic Security Operations Centers into an advanced model that leverages intelligence to understand and anticipate threats targeting the organization. By tackling the proactive vs. reactive approach towards cybersecurity it is intended to present a comparison between the two models. Initially it focuses on the ability to anticipate threats before they become incidents and also on the drawbacks of the classical SOC including the reactive security posture and monitoring. Furthermore, the article analyzes the impact of such a transition to both processes and people. It is worth mentioning the automation aspect of the migration which enables the human to separate from routine activities, allowing them to focus on the intelligence gathered. As the enterprise oriented tools from various vendors are intended to work for everyone but are optimized for no one, the authors highlight the importance of deploying custom tools supported by knowledgeable engineering teams. On that matter, the final part of the paper is dedicated to honeypot deployment by underlining their benefits from a Threat Intelligence perspective.

References:

[1] SOC vs. SIC: The Difference of an Intelligence Driven Defense Solution, Lockheed Martin Corporation – Reviewed 2nd of March 2016

[2] The Six Stages of Incident Response, Dark Reading, 2007 – Reviewed 14 of May 2015

[3] http://www.lockheedmartin.com – Reviewed 28 of March 2016

[4] https://en.wikipedia.org/wiki/Advanced_persistent_threat – Reviewed 2nd of May 2016

[5] https://technet.microsoft.com/dynimg/IC78017.jpg

[6] https://en.wikipedia.org/wiki/Honeypot_(computing) – Reviewed 3 rd of June 2016

[7] Naveen, Sharanya. "Honeypot" – Reviewed 1 st of June 2016.

[8] Lance Spitzner (2002). Honeypots tracking hackers. Addison- Wesley. pp. 68–70. ISBN 0-321- 10895-7. – Reviewed August 2014

[9] BARBU, I.D., PETRICĂ, G. (2015). Defense in Depth Principle to Ensure Information Security. International Journal of Information Security and Cybercrime, 4(1), 41-46. Retrieve from http://www.ijisc.com

[10] MIHAI, I.C., PRUNĂ, Ș., BARBU, I.D. (2014). Cyber Kill Chain Analysis. International Journal of Information Security and Cybercrime, 3(2), 37-42. Retrieve from http://www.ijisc.com

[11] An introduction to threat intelligence, CERT-UK – Reviewed July 2015

[12] http://www.honeyd.org/concepts.php – Reviewed September 2015

Leave a comment

Filed under Articles, Talks

[Recommended] Threat Intel | Meeting Mr. Black

Check out this awesome project from nullsecure.org

Source: Threat Intel | Meeting Mr. Black

Leave a comment

Filed under Recommendations, Uncategorized