I don’t remember which podcast or who said it, but “Garbage In Gospel Out” is so true. Especially when talking about Cyber Threat Intelligence. I talked a little about this before, both in conference talks and in Validate Data Before Sharing.
But here it is, three years later, and the problem remains. I’m willing to say it is getting worse. We’re not running full life cycles, either Intelligence or Incident Response. We get to the collection phase and call it done. NixIntel has a good post on that at their blog.
I’m going to have to add a couple more slides to my Threat Intelligence: From Zero to Basics deck. But I told GrrCON that I would have an updated deck from Circle City Con anyway.
Over the last two weeks I’ve seen some stuff shared publicly in Threat Intelligence Platforms, that really shouldn’t have been. The data wasn’t valid, at the time of sharing.
Recently I read the kindle version of “Effective Threat Intelligence: Building and running an intel team for your organization” by James Dietle. I found out after the fact there was a paper back version of it, and even gave one copy away as a Christmas present.
Anyway, this is the book I wish I had in January of 2016, when I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.
I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578, I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.
In the tweet list was a tweet was from Alex Pinto asking ‘how many more
#ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’
So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.
Companies are selling data feeds while calling it intelligence.
Has anyone else noticed that Bing has lots of Domain Generation Algorithm (DGA) links in the search results? it isn’t on every search, just some searches. But the same search result at Google doesn’t return the DGA links.
Work recently sent me to SANS Forensics 578, Cyber Threat Intelligence. This was my first SANS class ever, and it was pretty good. The instance of the class I was sent to was presented by Jake Williams and Rebekah Brown. I think having both of them teach the class was great, because it gave more from the trenches view than having just one of them as an instructor.