Intelligence

A small number of topics get intelligence driven incident responders incredibly frustrated: Using intelligence to mean smart (I’ll share more about that later this week) Bad attribution based on incomplete information and bad assumptions Misuse of the term APT (in most cases by marketing departments) Advanced Persistent Threat remains the buzzword of choice for vendors, but it’s used incorrectly, and lots of people know that and don’t say anything. As a result I want to go on the record and correct a couple key misnomers....

The information security community loves lists, cycles, and other guides for actions. We have important steps that need to be followed, but no investigation is exactly the same, and every one requires a bit of improvisation. So how do you balance these needs? The paradox of disciplined steps mixed with room to adapt to a situation. Lots of groups are posing solutions, some useful, some not so useful, and some 100% misconstrued....

It’s impossible to be involved in the information security community right now and to avoid the incident going on at Sony. All of the details of the attack by “The Guardians of Peace” may never be publicly known, but it is safe to say that this has become one of the defining computer security events from a public perspective. Plenty of people are addressing this from a variety of angles so I just want to speak to one, somewhat tertiary but none the less key issue, the “attribution” debate....

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript....