Effective Threat Intelligence includes a number of scenarios designed to help solidify the content. I have invited readers to provide their solutions and was fortunate to have Andre provide his take.
Andre Gironda has an impressive resume including structuring organizations by using models that delegate risk decisions to Cyber Operations teams and has spoken worldwide on risk models, cyber threat intelligence, DFIR, APT hunter-killer teaming, and red-teaming analysis.
You can find his solutions on my site here.
Click here to get the Kindle version free!
Until Tuesday the kindle version of Effective Threat Intelligence is free! I set up this amazing offer as a thanks for participating and to drive up the excitement of launching my very first book! If you were ever reluctant on purchasing the book, now you can get it before you start your workday for free!
If you have already purchased the kindle book during the weekend please email me at firstname.lastname@example.org to sort it out.
Have you already bought the book? Looking for other ways to support?
– Purchase other book versions. Both free and paid versions give me a boost on Amazon.
– Give the book reviews on Amazon.
– Share my twitter, linkedin, and website with other infosec professionals.
– If you have purchased the physical copy make sure you also pick up the free kindle copy!
Thanks so much for your support in making this day come. I am amazed at how many people keep coming out to help support this project and i am so happy to share it with you!
The great thing about a virtual party is that I can invite all of my supporters across the world to come visit, discuss the challenges of self-publishing, why threat intelligence is important, or just to see the unique people that know each other. If nothing else little Addy will be making an appearance! I hope you can drop by and celebrate with us!
Building a hunt team is becoming popular in the threat intelligence world. Proactively searching for interesting threat information can help detect a SOC detect new threats and problems. Sometimes information from hunting can find something that has been in the environment for years. A successfully hunt is lots of fun and analysts always enjoy bringing back a trophy of something they found.
Hunt programs can also be designed to look for threat intelligence. When discussing a hunt program I like considering where my hunting grounds are. I like to separate hunting into two factions.
– External to the company environment
– Internal to the company environment
Hunting for information external to the environment can be a popular tactic. Bad guys are everywhere and doing interesting things all of the time. Researching them for indicators can lead in many interesting directions including underground and clandestine organizations. However, with all of this exploring you do run into questions of authority. Should you attempt to connect to a malicious website with a sandbox? Should you be purchasing stolen documents to look for company credentials? Overall I tend to feel that this type of activity is best done by research companies and government/law enforcement, because it pretty quickly gets into areas of vague legality and violating personal privacy.
Internal hunting is similar in that you are moving around the environment looking for things that are suspicious. However, it is different because you own the infrastructure. Internal hunting is largely going to net a higher benefit for your organization. If you see something in your environment, you know it will be… attacking your environment, or has already attacked it. Conversely, external threats may never by interested in attacking you. Therefore, it makes sense to concentrate on strange behavior in your environment, and match it up with what is happening outside, rather then solving external problems to prevent them internally.
A great hunt team will be able to notice anomalies and inefficiencies in the network. This indication that something is amiss can be numerous things. Although it could be the next APT breaking down your door, it can also be a misconfigured server. That’s not to say that aspect should be ignored, instead if you can document it and show it to the process owners you can help make the whole system better.