Some Scenario Solutions to Effective Threat Intelligence

Effective Threat Intelligence includes a number of scenarios designed to help solidify the content. I have invited readers to provide their solutions and was fortunate to have Andre provide his take.

Andre Gironda has an impressive resume including structuring organizations by using models that delegate risk decisions to Cyber Operations teams and has spoken worldwide on risk models, cyber threat intelligence, DFIR, APT hunter-killer teaming, and red-teaming analysis.

You can find his solutions on my site here.


Effective Threat Intelligence Free for a limited time!

Click here to get the Kindle version free!

Until Tuesday the kindle version of Effective Threat Intelligence is free! I set up this amazing offer as a thanks for participating and to drive up the excitement of launching my very first book! If you were ever reluctant on purchasing the book, now you can get it before you start your workday for free!

If you have already purchased the kindle book during the weekend please email me at to sort it out.

Have you already bought the book? Looking for other ways to support?

– Purchase other book versions. Both free and paid versions give me a boost on Amazon.
– Give the book reviews on Amazon.
– Share my twitter, linkedin, and website with other infosec professionals.
– If you have purchased the physical copy make sure you also pick up the free kindle copy!

Thanks so much for your support in making this day come. I am amazed at how many people keep coming out to help support this project and i am so happy to share it with you!


Virtual Book Party for Effective Threat Intelligence!

    Come join me on Google hangouts for a virtual release party to celebrate the launch of my new book! Win 1 of 3 raffled copies, find out how you can get a discounted version on kindle, and help support my launch! Thanks for all the support to get this far! So many people have given their time and energy to help me get this book published!

Join me on Sunday, June 26th at 2 pm Central by clicking here for the event.

The great thing about a virtual party is that I can invite all of my supporters across the world to come visit, discuss the challenges of self-publishing, why threat intelligence is important, or just to see the unique people that know each other. If nothing else little Addy will be making an appearance! I hope you can drop by and celebrate with us!

Choosing the right place to hunt for threat intelligence

Building a hunt team is becoming popular in the threat intelligence world. Proactively searching for interesting threat information can help detect a SOC detect new threats and problems. Sometimes information from hunting can find something that has been in the environment for years. A successfully hunt is lots of fun and analysts always enjoy bringing back a trophy of something they found.

Hunt programs can also be designed to look for threat intelligence. When discussing a hunt program I like considering where my hunting grounds are. I like to separate hunting into two factions.

– External to the company environment
– Internal to the company environment

Hunting for information external to the environment can be a popular tactic. Bad guys are everywhere and doing interesting things all of the time. Researching them for indicators can lead in many interesting directions including underground and clandestine organizations. However, with all of this exploring you do run into questions of authority. Should you attempt to connect to a malicious website with a sandbox? Should you be purchasing stolen documents to look for company credentials? Overall I tend to feel that this type of activity is best done by research companies and government/law enforcement, because it pretty quickly gets into areas of vague legality and violating personal privacy.

Internal hunting is similar in that you are moving around the environment looking for things that are suspicious. However, it is different because you own the infrastructure. Internal hunting is largely going to net a higher benefit for your organization. If you see something in your environment, you know it will be… attacking your environment, or has already attacked it. Conversely, external threats may never by interested in attacking you. Therefore, it makes sense to concentrate on strange behavior in your environment, and match it up with what is happening outside, rather then solving external problems to prevent them internally.

A great hunt team will be able to notice anomalies and inefficiencies in the network. This indication that something is amiss can be numerous things. Although it could be the next APT breaking down your door, it can also be a misconfigured server. That’s not to say that aspect should be ignored, instead if you can document it and show it to the process owners you can help make the whole system better.


Tackling the “Gnome in your Home” over the Holidays

For several years SANS has published a holiday Capture The Flag (CTF). The event has technical challenges for infosec enthusiasts of all skill levels, and this year SANS has really outdone themselves.

Cleverly titled “Gnome In Your Home”, the scenario begins after thousands of toy gnomes are bought by loving parents across the world (1,653,325 to be specific). With the help of a pair of bright youngsters, you start uncovering an evil holiday conspiracy involving these “innocent” gnome toys. Challenges range greatly, from firmware analysis to exploiting discovered vulnerabilities.

While juggling all my family obligations of the season I was able to spend a little time hunting gnomes. Although I did not have time to break all 5 of the Super Gnomes, I had a blast learning new skills. I even beat the mini-game!


For those interested the full challenge is still posted here
My notes for the challenge are posted below.