Open source threat intelligence tools and hunting

Organizations need to identify and disposition new threats to ensure active, adaptive defense. This workshop will walk through open source resources and freely-available techniques to identify new threats and attack trends, and how to then formulate defensive strategies for enterprise protection.

Even small organizations must identify mechanisms to ingest threat intelligence to inform detections, enable response, and allow for potential preventive action by identifying threats before they strike. This workshop is designed to provide a quick - but useful - overview of techniques, resources, and methodologies leveraging freely available sources and tools to build out an actionable threat intelligence-threat hunting operation suitable for organizations of almost any size. The workshop will start with 1-1.5 hours of discussion and lecture, then lead in to a 1-1.5 hour exercise/demonstration. Although possible, attendees are strongly encouraged to bring a computer able to access the Internet and run virtual machines. Any tools or other items needed (or recommended) will be provided or hosted for attendees.

Instructor background

Joe Slowik has experience across multiple facets of cyber and information operations stretching over 10 years. Past roles include operations planning and mission development within the US Department of Defense; planning network defense strategies for US Naval assets afloat; running incident response operations at Los Alamos National Laboratory; building a threat intelligence program within the US Department of Energy; critical infrastructure attack analysis and activity tracking; and assisting industrial control system asset owners and operators in defensive planning and response.

Prerequisites

Ability to run simple command-line tools (e.g., strings) may be beneficial but is not necessary.

Agenda
  • Open source intelligence and information gathering
  • Company blogs, articles, and media reporting
  • Social media and Twitter
  • Public threat feeds: AlienVault, IBM X-Force
  • Sample gathering and extracting information
  • HybridAnalysis, ANY.RUN, VirusShare – VT (commercial)
  • How to read an analysis or incident report
  • Extracting information for use and application
  • Formulating information into hypotheses and pivoting
  • Network pivoting: DomainTools, RiskIQ, VirusTotal (free)
  • Host/Binary pivoting: VirusTotal, HybridAnalysis
  • Overview and exercise:
  • Beginning with a single sample (malicious document file), extracting additional information
  • Identifying items of interest in document, identifying payload
  • Using information to identify general patterns, trends, and behaviors
  • Translating identified information into rules, hunting hypotheses, and defensive measures