Intelligence

One of my favorite things is talking to students and people new to the security field. It feels like yesterday I was wandering around the first Shmoocon as a student in awe of the people I met and the work they were doing. Now I’m 10 years into my career and have a whole different perspective (though still in awe with those folks). Starting a career in infosec isn’t easy and while there are better general introductions I wanted to add my perspective on getting started in Digital Forensics and Incident Response (DFIR). ...

I can’t talk about important intelligence concepts for security without talking about the grand daddy, the original: the Intelligence Cycle. This should be great discussion fodder for anyone who has to talk to someone who claims they’re selling some form of Threat Intelligence product, given in most cases they seem to be using the phrase in place of the word smart. Intelligence vs smart couldn’t be farther from the truth. ...

I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in. Monday June 15: Time Presentation Presenter Notes 11:00 Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP Mr. Andras IKLODY (CIRCL) MISP is one of the bigger open source threat intelligence platforms (along with CRITs). I’m pretty familiar with CRITs, but I’m curious to see what mature MISP can do. 13:00 –3J4E — JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI) I’m really interested in writing better table top exercises. This seems like a dramatically different approach. 14:00 So You Want a Threat Intelligence* Function (*But Were Afraid to Ask) Mr. Gavin REID (Lancope) So this sounds along the lines of a talk that Kyle Maxwell and I put together for BlackHat USA (but unfortunately didn’t get accepted). I’ve thought a lot about how to build useful directed Threat Intelligence, so this is super curious. 16:00 Incident Response Programming with R Mr. Eric ZIELINSKI (Nationwide) I don’t write R, not sure I ever would, but better data analysis is super important for better incident response. Also Nationwide is from my current hometown, so I’m happy to support the local guy. This is going to be a full day, which is a great thing for me. Lots of great talks, a wide variety of topics. Should be fun. ...

One of the most talked-about intelligence concepts in information security today is F3EAD. Standing for Find, Fix, Finish, Exploit, Analyze, and Disseminate, this is a methodology for combining operations (in this case we’re talking about kinetic ops) and the intelligence process. While the Intelligence Cycle & SANS IR cycle are both useful, they are ultimately academic. If the goal is Intelligence-Driven Incident Response, we need to combine intelligence with ops, and that’s where F3EAD shines. ...

While I certainly didn’t plan to release this post the same day Paterva released their latest update, Maltego Chlorine, it’s a happy coincidence. It’s a great day to go download fresh Maltego hotness and start writing some transforms! Maltego is one of the most unusual tools in the information security space. While there are dozens of vulnerability scanners and piles of reversing tools, there’s nothing else like Maltego short of spending $$$ on Palantir. If you’re not familiar, check out this HakTip by Revision3 on Maltego 101. Don’t worry, I’ll wait. ...

A small number of topics get intelligence driven incident responders incredibly frustrated: Using intelligence to mean smart (I’ll share more about that later this week) Bad attribution based on incomplete information and bad assumptions Misuse of the term APT (in most cases by marketing departments) Advanced Persistent Threat remains the buzzword of choice for vendors, but it’s used incorrectly, and lots of people know that and don’t say anything. As a result I want to go on the record and correct a couple key misnomers. ...

The information security community loves lists, cycles, and other guides for actions. We have important steps that need to be followed, but no investigation is exactly the same, and every one requires a bit of improvisation. So how do you balance these needs? The paradox of disciplined steps mixed with room to adapt to a situation. Lots of groups are posing solutions, some useful, some not so useful, and some 100% misconstrued. I’m going to take this week to break down a number of the most common cycles and processes including OODA (keep reading!), the Intelligence Cycle, the Cyber Kill Chain, & F3EAD. ...

It’s impossible to be involved in the information security community right now and to avoid the incident going on at Sony. All of the details of the attack by “The Guardians of Peace” may never be publicly known, but it is safe to say that this has become one of the defining computer security events from a public perspective. Plenty of people are addressing this from a variety of angles so I just want to speak to one, somewhat tertiary but none the less key issue, the “attribution” debate. ...

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript. My Presentation Building Your Own DFIR Sidekick ...