--[ Threat Hunting With Jupyter

Abstract

Moving beyond prepared data presentation (think dashboards) to rapid triage and automation of threat discovery is a must these days. One of the easiest entries into this is by utilizing tools such as Jupyter, and information providers APIs such as Virus Total, Shodan and AlienVault.

In this class, we will cover basic Python scripting syntax to gather, transform, and explore data. We'll also process log files so that Indicators of Compromise (IoC) can be investigated. Then, we'll output findings in data visualizations through the use of Python libraries like Matplotlib and Pandas and html based forced directed graphs.

Topics we will cover:

  • STiX/TAXII 2.0: Threat Intelligence Exchange Systems for conveyance of information

  • Threat Information Providers API Access Queries: AlienVault, MISP, Mitre ATT&K Models

  • Data Grooming and Filtering

  • Processing Suspected Threat Activity for Discovery and Mitigation

  • Jupyter Notebooks

  • Python

  • Java Script

  • HTML

Specific tools and packages will include:

  • TI providers : Lookup IoCs across multiple TI providers; Built-in providers include AlienVault OTX, IBM XForce, VirusTotal, Shodan

  • Vtlookup: Virus Total API access for IoC processing

  • IP Geo: We'll look at two packages - GeoLiteLookup (Maxmind) and IPStackLookup

  • Eventcluster: Summarization of large numbers of events into clusters of different patterns using unsupervised ML modules.