Using FAIR with CTI – Some key definitions
This post won’t cover all the Factor Analysis of Information Risk (FAIR) definitions. It will provide the ones I think are vital for using FAIR with Threat Intelligence (TI) and Cyber Threat Intelligence (CTI). I’m paraphrasing several sources, but it’s the way I understand the definitions I learned over the years. If you want in-depth/exact definitions from my sources, for FAIR, lookup: Measuring and Managing Information’s Risk, The Open Group’s Open FAIR Risk Taxonomy and Risk Analysis whitepapers, the RiskLens FAIR study guide (provided as part of the course). For Threat Intelligence, lookup: Effective Threat Intelligence, and Intelligence Analysis 6th edition.
Over the last nine to ten months, I’ve changed how I’ve been using Python, again.
I work in either Debian or Xubuntu Linux, or Windows Subsystem Linux (WSL) Debian. I prefer Debian on bare metal hardware. The VMs I use at work are usually Xubuntu (faster, easier setup). Work’s laptop has Windows 10 Enterprise on it, which is where WSL comes in.
I’ve been wanting to switch back to a Linux based system for a while. Main hold up has been school. Recently I got to rebuild my travel laptop to run Linux.
I started with Debian, but after 2 days and a bunch of tweaking of the system and still not to the point of of actually start working.
So out goes Debian, in moves Xubuntu. A couple of hours later up and running. Disappointed, I’d rather be running Debian. But I really don’t have the time to spend doing endless tweaking. I have several other things to do.
At work, we have this thing on Fridays called power up time. It is the last 4 hours of the week to work on personal projects, test new ideas to see if they are worth implementing, or self improvement. Most weeks it is when I get to look at the most tickets doing Tactical level intelligence since the rest of the week is filled with project or priority case work.
Recently while working on tactical level information for SOC tickets, I was able to add in a little fun, and actually power up. I wanted to do some reverse engineering of the malware associated with the ticket, to see if there was more IOCs that could be extracted.
Earlier in the day I read an email in the SANS DFIR alumni list, which included someone talking about using Remnux with docker. So later in the the day working the ticket, and because I didn’t have a Remnux box, I decided to check out the docker containers. This was also my first time working with docker as well. Starting at Lenny Zeltzer’s Remnux Docker Site.
I went to my linux vm, a box that gets reset to the fresh installed state via snapshot after each use. After a sudo apt install docker.io and a sudo docker pull remnux/pescanner I had the container.
I ran it and learned a little bit about docker. I also got an understanding of some of the information that VirusTotal displays under the detail tab.
So my current reading list had changed 3 times in the last 3 weeks or so since the Fall class ended. I had started with:
Then it was going to be some Social Media Intelligence books:
Now it’s Counterhack Reloaded, which I’m using as my only study materials before the GCIH exam in a couple of months.
Can someone tell me again, why I try to make plans since I always seem to get pulled in many directions at once and not study what I want?
The worst part of my job, is not being able to talk about some of the stuff I do at work that I think is really cool.
*See edits at bottom.
I don’t know if I’ll be able to answer the question. I’ve been using Android Lost and Prey for years. They’ed worked OK in the past, but when I “lost” my phone recently neither tool worked.
To be honest this is the second time these tools failed.
A couple of weeks ago, I did my talk at Circle City Con. This was year two, and my second year as a speaker. It was a good CON, and I can’t wait to go back next year.
Over the weekend I did my very first ARRL Field Day. It was rather interesting. For those that don’t know what Field Day is, it’s when the Amateur Radio Service (yes there is a public service aspect to the HAM Hobby and License) gets together to make contacts under adverse conditions. The club I am in, Ford Amateur Radio League, teamed up again this year with the Livonia Radio Club. We had a tent with a generator out in the middle of a field.
As I mentioned before here and here I’ll be at Circle City Con, talking about the Raspberry Pi WIDS project I did last year at Eastern.
I’ve updated all my Raspberry Pis, including the firmware. I’ve setup a Raspberry Pi B+ and the Raspberry Pi 2 with the respective Kali images. But they still need to be set up as kismet drones, and tested.
I also need to set up the hard drive for the con, and update my slide deck.
1 week to do it in. Plenty of time. (Famous last words).