Cyber Intelligence Tsunami

Published: 2013-07-19
Last Updated: 2013-07-19 09:18:14 UTC
by Stephen Hall (Version: 1)
3 comment(s)

This week fellow handler Chris posted about gathering intelligence from Blog Spam, and the SANS ISC has posted a number of times about Cyber Intelligence as a valuable resource, and as by now you all should know that Russ may have posted on his Blog about CIF, the Collective Intelligence Framework.

CIF, out of the box links with only a little bit of configuration with a number of automated ingested intelligence feeds, including some from the SANS ISC.

So, once you have all this open source intelligence gathered, we know that one of the powers of CIF is that you can produce SNORT rules, IPTABLES rules etc, but that is only the start.

MITRE has this year released definitions for STIX, TAXII and CYBOX to aid in this space, to allow analysts to describe and transfer cyber intelligence from place to place, from peer organisation to peer organisation, or indeed from cyber intelligence hub to their members. There are other ways this has been defined, and IODEF is one of those.

So, what is the next step, assuming you have implemented some sort of automated intelligence gathering operation, you will have a database or similar now full of actionable information. How do you apply that to your organisations, how do you enrich that information to make it true actionable intellgence.

The next step is to bolt into (or implement if you have not already) the automation you have in place within your organisation to search your security logs for potential hits  for these indicators.

Examples here can include utilising the SPLUNK! API to automate the searches for C2 indicators, or other searches across your logs using regex of the data you have collected. A good open source example of this is using MalwareSigs to provide regular jobs you can run to search for badness.

So, once your searches have found hits, what do you do with them? You should certainly automate, or at least make as light touch as possible as many of your processes as possible. Automation of blocking / recategorisation of IP's/Domains which intelligence shows as being highly likely to be malicious could be blocked automatically with the understanding that its not always 100% accurate and may have an impact. 

Which other examples can you think of which would allow the automation of intelligence lead analysis to releave you, your team members and your organisation from what will become the Cyber Intelligence Tsunami?

 

Keywords: intelligence
3 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives