Commenting on the SANS Threat Intelligence Summit 2021 Presentations – An Analysis and Practical Recommendations

Hi everybody,
I just lately got here throughout to the total portfolio of SANS Threat Intelligence Summit displays that are presently on-line at YouTube and I’ve determined to take the time and effort to undergo them and provide sensible and related menace intelligence and OSINT recommendation and suggestions which I hope will come helpful to the presenters together with anybody presently working in the subject or taken with making an impression as a menace intelligence analyst.

Sample displays from the Summit embody:

What the presenters ought to be mindful when doing their analysis and homework is to truly implement a menace intelligence “rock star” mentality when doing analysis and truly try to take a step increased of their analysis and make disruption and truly take each energetic and proactive measures and actions in opposition to particular cyber menace actors and adversaries.

I’ve been just lately working on a number of articles on the subject of menace intelligence and I got here up with a correct article which I’ll share on this submit with the thought to enhance my reader’s situational consciousness on the subject ultimately bettering the means they work and do menace intelligence gathering on-line.

———————-

00. The Basics of Threat Intelligence – A Novice Cyber Threat Researcher’s Guide

In this text we’ll intention to efficiently present an in-depth overview of the Threat Intelligence Gathering course of together with numerous methodologies for processing enriching and dissemination together with energetic case research and in-depth overview of assorted requirements and applied sciences together with an in-depth overview of assorted Threat Intelligence Gathering instruments and methods. This article goals to efficiently present readers with basic and in-depth overview of the Threat Intelligence Gathering course of together with dwell and related examples together with in-depth overview of assorted Threat Intelligence Gathering instruments and methods.

This article is aiming to focus on a various set of viewers together with safety practitioners info safety professionals menace intelligence analysts and organizations in search of an informative and academic strategy additional understanding the fundamentals of menace intelligence together with an in-depth overview of assorted menace intelligence methodologies and practices together with quite a lot of in-depth case research associated to menace intelligence gathering together with an in-depth dialogue on numerous methodologies and menace intelligence gathering instruments.

Overview of Threat Intelligence

Threat intelligence is a multi-disciplinary strategy to gathering processing and disseminating actionable menace intelligence for the objective of guaranteeing that an organizations safety protection is actively conscious of threats dealing with its infrastructure in order that an enough and value-efficient technique could be formulated to make sure the confidentiality integrity and availability of the info. Threat Intelligence is the technique of gathering processing and disseminating actionable intelligence for the objective of guaranteeing that an organizations infrastructure stays correctly secured from threats dealing with its infrastructure. The assortment phrase could be finest described as the technique of acquiring processing and analyzing actionable menace intelligence for the objective of processing and disseminating the processed information. The assortment phrase consists of actively acquiring actual-time menace intelligence information for the objective of processing enriching and assessing the information for the objective of processing and disseminating the information.

The assortment section consists of energetic monitoring of sources of curiosity together with numerous public and privately closed neighborhood sources for the objective of creating an energetic menace intelligence gathering program basis. The assortment phrase consists of assessing and deciding on a various set of main and secondary public and privately closed sources for the objective of creating a menace intelligence gathering mannequin. The assortment section consists of assessing and deciding on main and secondary public and privately closed sources for the objective of creating an energetic menace intelligence assortment mannequin. The assortment section consists of assessing the main secondary public and privately closed sources for the objective of creating an energetic menace intelligence gathering assortment mannequin. The assortment section consists of assessing and deciding on the main and secondary public and privately closed sources for the objective of creating the foundations of the assortment phrase.

What analysts ought to be mindful when doing menace intelligence assortment together with the precise Technical Collection course of when it comes to acquiring entry to precise uncooked menace intelligence info which incorporates domains URLs and MD5’s that additionally contains uncooked cybercrime discussion board info or precise copies of a cybercrime pleasant discussion board neighborhood for the objective of constructing a capability pushed menace intelligence program when it comes to profiling and making use of primary cyber assault attribution methodologies is to have a nicely educated employees power which might simply and effectively acquire entry to each actual-time present and historic menace intelligence info utilizing proprietary and publicly accessible sources for the objective of enriching the info and truly developing with new and novel analysis and cyber assault traits evaluation.

The processing phrase consists of actively deciding on processing instruments and methodologies for the objective of setting the foundations for a profitable processing of the information. The processing section consists of actively processing the menace intelligence gathering collected information for the objective of creating the foundations for a profitable processing of the information. The processing section consists of gathering the processed information for the objective of creating the foundations for a profitable processing of the collected information for the objective of processing and enriching the processed information. The processing section consists of energetic assortment enrichment and processing of the collected information for the objective of energetic processing of the collected information. The processing section consists of energetic collection of main and secondary public and privately closed sources for the objective of processing the collected information for the objective of enriching and processing the collected information. The processing section consists of energetic actual-time aggregation of actionable menace intelligence information for the objective of creating the foundations of energetic processing and enrichment of the processed information for the objective of processing and enriching of the processed information.

What analysts ought to be mindful when doing menace intelligence processing is the relevance and timeliness of the precise info together with the high quality of the supply together with public and proprietary sources the place the analysts ought to understand that an enormous portion of the info that would correctly defend an enterprise or a vendor on-line is already publicly accessible and must be correctly processed together with probably enriched when it comes to developing with the massive image when it comes to the precise info together with to provide you with novel and new cyber assault attribution analysis. Sticking to main menace intelligence sharing and dissemination requirements must be essential when it comes to feeding the publicly accessible and processed info right into a menace intelligence processing system that additionally features a cyber assault attribution course of for the objective of developing with new and novel analysis together with precise cyber assault attribution analysis utilizing a researcher’s or a company’s personal methodology.

The dissemination section consists of energetic processing and dissemination of the processed information for the objective of speaking the actionable intelligence for the objective of guaranteeing that an organizations protection is actively conscious of the threats dealing with its infrastructure and safety protection mechanisms. The dissemination section consists of energetic distribution of the processed and enriched actionable intelligence for the objective of energetic dissemination of the processed and enriched information. The dissemination section consists of energetic dissemination and enrichment of the processed information for the objective of creating the foundations of an energetic menace intelligence gathering course of. The dissemination section consists of energetic communication and distribution of the processed and enriched information for the objective of speaking the processed and enriched information throughout the organizations safety protection mechanisms.

What analysts ought to be mindful when disseminating menace intelligence is to at all times attain out to the correct events together with as many sources of data as doable for the objective of presenting their analysis and info to the safety business business and the safety neighborhood in an in-depth enriched and correctly processed means doubtlessly aiding the safety business and the safety neighborhood on its strategy to correctly attribute a cyber assault or detect new cyber assault traits.

Threat Intelligence Methodologies

Numerous menace intelligence methodologies are presently out there for a company to reap the benefits of on its strategy to correctly safe its infrastructure considering a proactive safety response. Among the most typical information acquisition methods stays the energetic information acquisition by means of discussion board and communities monitoring together with the energetic monitoring of personal boards and communities. Carefully deciding on and main and secondary sources of data is essential for sustaining the mandatory situational consciousness to remain forward of menace dealing with the organizations infrastructure together with the institution of an energetic response by means of an energetic menace intelligence gathering program. Among the most typical menace intelligence acquisition methodologies stays the energetic information acquisition by means of main and secondary boards and communities together with the information acquisition by means of non-public and secondary neighborhood based mostly sort of acquisition platforms.

Among the most typical menace intelligence information acquisition methods stays the energetic group collaboration when it comes to information acquisition information processing and information dissemination for the objective of creating an energetic organizations safety response proactively responding to the threats dealing with an organizations infrastructure. Among the most typical information acquisition methods when it comes to menace intelligence gathering methodologies stays the energetic enrichment of the sources of data to incorporate quite a lot of main and secondary sources together with non-public and neighborhood based mostly main and secondary sources.

Proactive Threat Intelligence Methodologies

Anticipating the rising menace panorama significantly ensures an organizations profitable implementation of a proactive safety sort of protection guaranteeing that an organizations safety protection stays correctly shielded from the threats dealing with its infrastructure. Properly understanding the menace panorama significantly ensures {that a} proactive response could be correctly carried out for the objective of guaranteeing that an organizations safety protection stays correctly shielded from the threats dealing with its infrastructure. Taking into consideration the information obtained by means of an energetic menace intelligence gathering program significantly ensures {that a} proactive safety response could be adequately carried out to make sure that an organizations safety protection stays correctly shielded from the threats dealing with its infrastructure.

Among the most typical menace acquisition techniques stays the energetic understanding of the threats dealing with an organizations safety infrastructure to make sure that an enough response could be correctly carried out guaranteeing that an organizations protection stays correctly shielded from the threats dealing with its infrastructure. Among the most typical menace intelligence gathering methodologies stays the energetic group collaboration to make sure that an energetic enrichment course of could be correctly carried out additional guaranteeing that an organizations protection could be correctly shielded from the threats dealing with its infrastructure. Based on the info acquired by means of an energetic menace intelligence gathering acquisition processing and dissemination program additional guaranteeing that an organizations infrastructure could be correctly shielded from the threats dealing with its infrastructure.

The Future of Threat Intelligence

The way forward for menace intelligence gathering largely depends on a profitable set of menace intelligence gathering methodologies energetic information acquisition processing and dissemination methods together with the energetic enrichment of the processed information for the objective of guaranteeing that an organizations safety protection stays correctly in place. The way forward for menace intelligence largely depends on the profitable understanding of a number of menace vectors for the objective of creating an organizations safety protection. Relying on a multi-tude of enrichment processes together with the energetic institution of an energetic menace intelligence gathering acquisition processing and dissemination program significantly ensures {that a} proactive group-oriented strategy could be carried out to make sure that an organizations safety protection stays correctly shielded from the threats dealing with its infrastructure.

———————-

together with the following second article which I’ve been working on when it comes to utilizing OSINT together with menace intelligence to do a greater analysis on-line and truly provide you with novel and by no means-revealed analysis and cyber menace actor analysis and evaluation:

———————

00. Basics of OSINT in the Context of Fighting Cybercrime – The Definite Beginner’s Guide

“What use are they? They’ve obtained over 40,000 individuals over there studying newspapers.” – President Nixon

This introductory information into the world of OSINT is a part of an upcoming sequence of articles aiming to help each novice and skilled safety practitioners together with analysts for the objective of getting into the world of OSINT for cybercrime analysis and goals to supply a excessive-profile and by no means-revealed earlier than sensible and related in at the moment’s nation-state and rogue cyber adversaries Internet and cybercrime ecosystem whose objective basic overview and introductory materials and coaching course materials for novice inexperienced persons together with superior Internet customers hackers safety consultants analysts together with researchers who’re taken with exploring the world of OSINT (Open Source Intelligence) for the objective of creating a distinction doing their work in a greater and extra environment friendly means together with to truly be absolutely succesful and outfitted to catch the unhealthy guys on-line together with to observe and monitor them all the way down to the level of constructing the massive image of their fraudulent and rogue on-line actions. The course together with the precise studying and coaching materials is courtesy of Dancho Danchev who is taken into account certainly one of the hottest safety bloggers menace intelligence analysts and cybercrime researchers internationally and inside the safety business.

The main objective behind this information is to summarize Dancho Danchev’s over a decade of energetic passive and energetic together with actionable menace intelligence and OSINT analysis sort of expertise together with cybercrime analysis sort of expertise the place the final aim can be to empower the pupil or the group taking this course into higher doing their on-line analysis work together with to be absolutely able to monitoring down and monitoring the rogue and malicious on-line actions of the unhealthy guys on-line the place the final aim can be to raised place and improve your cyber assault or malicious menace actor cyber marketing campaign attribution abilities in the end bettering your work actions and truly empowering you to learn to do OSINT for good and most significantly to trace down and monitor the unhealthy guys.

Introduction

In a world dominated by subtle cybercrime gangs and nation-state sponsored and tolerated rogue cyber actors the use of OSINT (Open Source Intelligence) is essential for constructing the massive image in the context of combating cybercrime internationally together with to truly “join the dots” in the context of offering personally identifiable info to a closed-group and invite-solely LE neighborhood together with worldwide Intelligence Agencies on their strategy to monitor down and prosecute the cybercriminals behind these campaigns.

In this coaching and studying materials Dancho Danchev certainly one of the safety business’s hottest and excessive-worth safety blogger and cybercrime researcher will provide an in-depth peek inside the world of OSINT in the context of combating cybercrime and will present sensible recommendation examples and case specifically on how he tracked down and shut down the notorious Koobface botnet and continued to provide by no means-revealed and launched earlier than doubtlessly delicate and categorized info on new cyber menace actors which he continued to publish at his Dancho Danchev’s weblog.

Basics of OSINT

OSINT in the context of combating cybercrime could be finest described as the systematic and persistent use of public info for the objective of constructing a cyber menace intelligence enriched information units and intelligence databases each for actual-time situational consciousness and historic OSINT preservation functions which additionally embody to truly “join the dots” in cybercrime gang and rogue cyber actor campaigns and cyber assault sort of campaigns. A basic instance would encompass acquiring a single malicious software program pattern and utilizing it on a public sandbox to additional map the infrastructure of the cybercriminal behind it doubtlessly exposing the massive image behind the marketing campaign and connecting the dots behind their infrastructure which might result in a multi-tude and number of personally identifiable info getting uncovered which might assist construct a proprietary cybercrime gang exercise database and truly help LE in monitoring down the prosecuting the cybercriminals behind these campaigns.

“There’s no such factor as new cyber menace actors. It’s simply new gamers adopting financial and advertising and marketing ideas to steal cash and trigger havoc on-line.“

The main thought right here is to find free and public on-line repositories of malicious software program and to truly acquire a pattern which might be later on utilized in a public sandbox for the objective of mapping the Internet-connected infrastructure of the cybercrime gang in query together with to truly elabore extra on the methods they try to monetize the entry to the compromised host together with probably methods during which they generate profits together with to truly discover out what precisely are they making an attempt to compromise. Possible examples right here embody VirusTotal or truly working a malware interception honeypot similar to as an example a spam lure which might help you intercept presently circulating in the wild malare campaigns that propagate utilizing electronic mail and truly analyze them when it comes to connecting the dots exposing their Internet-connected infrastructure and establishing the foundations for a profitable profession into the world of malicious software program evaluation and cybercrime analysis.

“Everything that may be seen is already there“.

The subsequent logical step can be to correctly assess and analyze the just lately obtained pattern and to correctly set up the basis of a “join the dots” tradition inside your group the place the main aim can be to have researchers and analysts search for clues on their strategy to monitor down and monitor a selected marketing campaign doubtlessly developing with new and novel cyber assault attribution analysis. Visualization is usually the key to all the pieces when it comes to visualizing threats and in search of further clues and doable cyber assault attribution clues the place a well-liked visualization and menace evaluation software often called Maltego ought to come into play which mainly gives a sophisticated and subtle strategy to course of OSINT and cybercrime analysis and menace intelligence sort of data and truly enrich it utilizing public and proprietary sources of data for the objective of creating the massive image and truly connecting the dots for a selected cyber assault marketing campaign.

Among the first issues that you must think about earlier than starting your profession in the World of OSINT is that all the pieces that that you must learn about a selected on-line occasion a selected on-line marketing campaign that additionally contains the actions of the unhealthy guys on-line is already on the market in the type of publicly accessible info which must be solely processed and enriched to the level the place the massive image for a selected occasion or a malicious on-line marketing campaign must be established utilizing each qualitative and quantitative methodologies that additionally contains the technique of acquiring entry to the precise technical particulars and info behind a selected on-line occasion or an precise malicious and rogue on-line marketing campaign.

Among the few key issues to bear in mind when doing OSINT together with precise OSINT for cyber assault and cyber marketing campaign assault attribution is the undeniable fact that in 99% of the instances all the assortment info that you just want when it comes to a selected case is already publicly identified and is publicly accessible as an alternative of getting to acquire entry to a non-public or a proprietary supply of data and the solely factor that you would need to do to acquire entry to it’s to make use of the World’s hottest search engine when it comes to assortment processing and enrichment.

The second hottest factor to bear in mind when doing OSINT is that you just don’t have to acquire entry to proprietary even public OSINT instruments.

Current State of the Cybercrime Ecosystem

In 2021 an enormous variety of the threats dealing with the safety business together with distributors and organizations on-line embody RATs (Remote Access Tools) malicious software program half of a bigger trouble malicious and fraudulent spam and phishing emails together with shopper-aspect exploits and vulnerabilities which have the potential to take advantage of a company or a vendor’s finish factors for the objective of dropping malware on the affected host together with the rise of the ransomware menace which is mainly an quaint educational idea often called cryptoviral extortion.

With extra novice cybercriminals becoming a member of the underground ecosystem market phase largely pushed by a set of newly emerged affiliate based mostly income sharing fraudulent and malicious networks providing monetary incentive for participation in a fraudulent scheme it shouldn’t be shocking that extra individuals are truly becoming a member of the cybercrime ecosystem doubtlessly inflicting widespread harm and havoc on-line.

With cybercrime pleasant boards persevering with to proliferate it must be clearly evident that extra individuals will ultimately be part of these marketplaces doubtlessly in search of new market phase propositions to reap the benefits of for the objective of becoming a member of the cybercrime ecosystem and that extra distributors will ultimately proceed to occupy and launch new underground discussion board market propositions for the objective of selling and in search of new shoppers for the providers.

In a World dominated by a geopolitically related Internet cybercrime ecosystem it shouldn’t be surpising that extra worldwide cybercrime gangs will ultimately proceed to launch new fraudulent and malicious spam and phishing campaigns that additionally contains malicious software program campaigns for the objective of incomes fraudulent income.

With extra affiliate based mostly underground market phase based mostly networks aiming to draw new makes use of the place they’d ahead the danger for the precise an infection course of and fraudulent transaction to the precise consumer in trade for providing entry to stylish bulletproof infrastructure together with superior and subtle malware and ransomware releases it shouldn’t be shocking that extra individuals are truly becoming a member of these affiliate networks for the objective of incomes fraudulent income in the technique of inflicting havoc and widespread disruption on-line.

———————

Overall I consider that the displays from this occasion are value watching and value going by means of and I can’t wait to truly take part in the Call for Papers for the upcoming digital Summit.

Happy watching!

*** This is a Security Bloggers Network syndicated weblog from Dancho Danchev's Blog – Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the authentic submit at: http://feedproxy.google.com/~r/danchodanchevonsecurityandnewmedia/~3/q-J3KVwRLzk/commenting-on-sans-threat-intelligence.html

https://securityboulevard.com/2021/09/commenting-on-the-sans-threat-intelligence-summit-2021-presentations-an-analysis-and-practical-recommendations/

Recommended For You