Monday, September 20, 2021

Commenting on the SANS Threat Intelligence Summit 2021 Presentations - An Analysis and Practical Recommendations

Hi everyone,

I recently came across to the entire portfolio of SANS Threat Intelligence Summit presentations which are currently online at YouTube and I've decided to take the time and effort to go through them and offer practical and relevant threat intelligence and OSINT advice and recommendations which I hope will come handy to the presenters including anyone currently working in the field or interested in making an impact as a threat intelligence analyst.

Sample presentations from the Summit include:

Analyzing Chinese Information Operations with Threat Intelligence - this is a pretty informative presentation that offers practical and relevant Information Operations advice including a pretty decent case study on the topic of a high-profile information leak campaign based in China

Collections and Elections: How The New York Times built an intel collections program in 2020 - this is a pretty informative presentation that offers an in-depth and relevant advice on building threat intelligence capabilities in terms of building a threat intelligence team including a first person experience in the process of building a threat intelligence program

Better Than Binary: Elevating State Sponsored Attribution via Spectrum of State Responsibility - this is a pretty informative presentation that offers a very good overview of various threat intelligence techniques including collection enrichment and actual technical collection advice

What the presenters should keep in mind when doing their research and homework is to actually implement a threat intelligence "rock star" mentality when doing research and actually attempt to take a step higher in their research and make disruption and actually take both active and proactive measures and actions against specific cyber threat actors and adversaries.

I've been recently working on several articles on the topic of threat intelligence and I came up with a proper article which I'll share in this post with the idea to improve my reader's situational awareness on the topic eventually improving the way they work and do threat intelligence gathering online.

----------------------
00. The Basics of Threat Intelligence - A Novice Cyber Threat Researcher’s Guide

In this article we’ll aim to successfully provide an in-depth overview of the Threat Intelligence Gathering process including various methodologies for processing enriching and dissemination including active case studies and in-depth overview of various standards and technologies including an in-depth overview of various Threat Intelligence Gathering tools and techniques. This article aims to successfully provide readers with general and in-depth overview of the Threat Intelligence Gathering process including live and relevant examples including in-depth overview of various Threat Intelligence Gathering tools and techniques.

This article is aiming to target a diverse set of audience including security practitioners information security professionals threat intelligence analysts and organizations seeking an informative and educational approach further understanding the basics of threat intelligence including an in-depth overview of various threat intelligence methodologies and practices including a variety of in-depth case studies related to threat intelligence gathering including an in-depth discussion on various methodologies and threat intelligence gathering tools.

Overview of Threat Intelligence

Threat intelligence is a multi-disciplinary approach to collecting processing and disseminating actionable threat intelligence for the purpose of ensuring that an organizations security defense is actively aware of threats facing its infrastructure so that an adequate and cost-effective strategy can be formulated to ensure the confidentiality integrity and availability of the information. Threat Intelligence is the process of collecting processing and disseminating actionable intelligence for the purpose of ensuring that an organizations infrastructure remains properly secured from threats facing its infrastructure. The collection phrase can be best described as the process of obtaining processing and analyzing actionable threat intelligence for the purpose of processing and disseminating the processed data. The collection phrase consists of actively obtaining real-time threat intelligence data for the purpose of processing enriching and assessing the data for the purpose of processing and disseminating the data.

The collection phase consists of active monitoring of sources of interest including various public and privately closed community sources for the purpose of establishing an active threat intelligence gathering program foundation. The collection phrase consists of assessing and selecting a diverse set of primary and secondary public and privately closed sources for the purpose of establishing a threat intelligence gathering model. The collection phase consists of assessing and selecting primary and secondary public and privately closed sources for the purpose of establishing an active threat intelligence collection model. The collection phase consists of assessing the primary secondary public and privately closed sources for the purpose of establishing an active threat intelligence gathering collection model. The collection phase consists of assessing and selecting the primary and secondary public and privately closed sources for the purpose of establishing the foundations of the collection phrase.

What analysts should keep in mind when doing threat intelligence collection including the actual Technical Collection process in terms of obtaining access to actual raw threat intelligence information which includes domains URLs and MD5's that also includes raw cybercrime forum information or actual copies of a cybercrime friendly forum community for the purpose of building a capacity driven threat intelligence program in terms of profiling and applying basic cyber attack attribution methodologies is to have a well trained staff force which could easily and efficiently obtain access to both real-time current and historical threat intelligence information using proprietary and publicly accessible sources for the purpose of enriching the information and actually coming up with new and novel research and cyber attack trends analysis.

The processing phrase consists of actively selecting processing tools and methodologies for the purpose of setting the foundations for a successful processing of the data. The processing phase consists of actively processing the threat intelligence gathering collected data for the purpose of establishing the foundations for a successful processing of the data. The processing phase consists of collecting the processed data for the purpose of establishing the foundations for a successful processing of the collected data for the purpose of processing and enriching the processed data. The processing phase consists of active collection enrichment and processing of the collected data for the purpose of active processing of the collected data. The processing phase consists of active selection of primary and secondary public and privately closed sources for the purpose of processing the collected data for the purpose of enriching and processing the collected data. The processing phase consists of active real-time aggregation of actionable threat intelligence data for the purpose of establishing the foundations of active processing and enrichment of the processed data for the purpose of processing and enriching of the processed data.

What analysts should keep in mind when doing threat intelligence processing is the relevance and timeliness of the actual information including the quality of the source including public and proprietary sources where the analysts should keep in mind that a huge portion of the information that could properly protect an enterprise or a vendor online is already publicly accessible and should be properly processed including possibly enriched in terms of coming up with the big picture in terms of the actual information including to come up with novel and new cyber attack attribution research. Sticking to major threat intelligence sharing and dissemination standards should be crucial in terms of feeding the publicly accessible and processed information into a threat intelligence processing system that also includes a cyber attack attribution process for the purpose of coming up with new and novel research including actual cyber attack attribution research using a researcher's or an organization's own methodology.

The dissemination phase consists of active processing and dissemination of the processed data for the purpose of communicating the actionable intelligence for the purpose of ensuring that an organizations defense is actively aware of the threats facing its infrastructure and security defense mechanisms. The dissemination phase consists of active distribution of the processed and enriched actionable intelligence for the purpose of active dissemination of the processed and enriched data. The dissemination phase consists of active dissemination and enrichment of the processed data for the purpose of establishing the foundations of an active threat intelligence gathering process. The dissemination phase consists of active communication and distribution of the processed and enriched data for the purpose of communicating the processed and enriched data across the organizations security defense mechanisms.

What analysts should keep in mind when disseminating threat intelligence is to always reach out to the proper parties including as many sources of information as possible for the purpose of presenting their research and information to the security industry industry and the security community in an in-depth enriched and properly processed way potentially assisting the security industry and the security community on its way to properly attribute a cyber attack or detect new cyber attack trends.

Threat Intelligence Methodologies

Numerous threat intelligence methodologies are currently available for an organization to take advantage of on its way to properly secure its infrastructure taking into consideration a proactive security response. Among the most common data acquisition strategies remains the active data acquisition through forum and communities monitoring including the active monitoring of private forums and communities. Carefully selecting and primary and secondary sources of information is crucial for maintaining the necessary situational awareness to stay ahead of threat facing the organizations infrastructure including the establishment of an active response through an active threat intelligence gathering program. Among the most common threat intelligence acquisition methodologies remains the active data acquisition through primary and secondary forums and communities including the data acquisition through private and secondary community based type of acquisition platforms.

Among the most common threat intelligence data acquisition strategies remains the active team collaboration in terms of data acquisition data processing and data dissemination for the purpose of establishing an active organizations security response proactively responding to the threats facing an organizations infrastructure. Among the most common data acquisition strategies in terms of threat intelligence gathering methodologies remains the active enrichment of the sources of information to include a variety of primary and secondary sources including private and community based primary and secondary sources.

Proactive Threat Intelligence Methodologies

Anticipating the emerging threat landscape greatly ensures an organizations successful implementation of a proactive security type of defense ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Properly understanding the threat landscape greatly ensures that a proactive response can be properly implemented for the purpose of ensuring that an organizations security defense remains properly protected from the threats facing its infrastructure. Taking into consideration the data obtained through an active threat intelligence gathering program greatly ensures that a proactive security response can be adequately implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.

Among the most common threat acquisition tactics remains the active understanding of the threats facing an organizations security infrastructure to ensure that an adequate response can be properly implemented ensuring that an organizations defense remains properly protected from the threats facing its infrastructure. Among the most common threat intelligence gathering methodologies remains the active team collaboration to ensure that an active enrichment process can be properly implemented further ensuring that an organizations defense can be properly protected from the threats facing its infrastructure. Based on the information acquired through an active threat intelligence gathering acquisition processing and dissemination program further ensuring that an organizations infrastructure can be properly protected from the threats facing its infrastructure.

The Future of Threat Intelligence

The future of threat intelligence gathering largely relies on a successful set of threat intelligence gathering methodologies active data acquisition processing and dissemination strategies including the active enrichment of the processed data for the purpose of ensuring that an organizations security defense remains properly in place. The future of threat intelligence largely relies on the successful understanding of multiple threat vectors for the purpose of establishing an organizations security defense. Relying on a multi-tude of enrichment processes including the active establishment of an active threat intelligence gathering acquisition processing and dissemination program greatly ensures that a proactive team-oriented approach can be implemented to ensure that an organizations security defense remains properly protected from the threats facing its infrastructure.
----------------------

including the following second article which I've been working on in terms of using OSINT in combination with threat intelligence to do a better research online and actually come up with novel and never-published research and cyber threat actor research and analysis:

---------------------

00. Basics of OSINT in the Context of Fighting Cybercrime - The Definite Beginner's Guide

What use are they? They’ve got over 40,000 people over there reading newspapers.” - President Nixon

This introductory guide into the world of OSINT is part of an upcoming series of articles aiming to assist both novice and experienced security practitioners including analysts for the purpose of entering the world of OSINT for cybercrime research and aims to offer a high-profile and never-published before practical and relevant in today’s nation-state and rogue cyber adversaries Internet and cybercrime ecosystem whose purpose general overview and introductory material and training course material for novice beginners including advanced Internet users hackers security consultants analysts including researchers who are interested in exploring the world of OSINT (Open Source Intelligence) for the purpose of making a difference doing their work in a better and more efficient way including to actually be fully capable and equipped to catch the bad guys online including to monitor and track them down to the point of building the big picture of their fraudulent and rogue online activities. The course including the actual learning and training material is courtesy of Dancho Danchev who is considered one of the most popular security bloggers threat intelligence analysts and cybercrime researchers internationally and within the security industry.

The primary purpose behind this guide is to summarize Dancho Danchev’s over a decade of active passive and active including actionable threat intelligence and OSINT research type of experience including cybercrime research type of experience where the ultimate goal would be to empower the student or the organization taking this course into better doing their online research work including to be fully capable of tracking down and monitoring the rogue and malicious online activities of the bad guys online where the ultimate goal would be to better position and enhance your cyber attack or malicious threat actor cyber campaign attribution skills ultimately improving your work activities and actually empowering you to learn how to do OSINT for good and most importantly to track down and monitor the bad guys.

Introduction

In a world dominated by sophisticated cybercrime gangs and nation-state sponsored and tolerated rogue cyber actors the use of OSINT (Open Source Intelligence) is crucial for building the big picture in the context of fighting cybercrime internationally including to actually "connect the dots" in the context of providing personally identifiable information to a closed-group and invite-only LE community including international Intelligence Agencies on their way to track down and prosecute the cybercriminals behind these campaigns.

In this training and learning material Dancho Danchev one of the security industry's most popular and high-value security blogger and cybercrime researcher will offer an in-depth peek inside the world of OSINT in the context of fighting cybercrime and will provide practical advice examples and case in particular on how he tracked down and shut down the infamous Koobface botnet and continued to supply never-published and released before potentially sensitive and classified information on new cyber threat actors which he continued to publish at his Dancho Danchev's blog.

Basics of OSINT

OSINT in the context of fighting cybercrime can be best described as the systematic and persistent use of public information for the purpose of building a cyber threat intelligence enriched data sets and intelligence databases both for real-time situational awareness and historical OSINT preservation purposes which also include to actually "connect the dots" in cybercrime gang and rogue cyber actor campaigns and cyber attack type of campaigns. A general example would consist of obtaining a single malicious software sample and using it on a public sandbox to further map the infrastructure of the cybercriminal behind it potentially exposing the big picture behind the campaign and connecting the dots behind their infrastructure which would lead to a multi-tude and variety of personally identifiable information getting exposed which could help build a proprietary cybercrime gang activity database and actually assist LE in tracking down the prosecuting the cybercriminals behind these campaigns.

"There's no such thing as new cyber threat actors. It's just new players adopting economic and marketing concepts to steal money and cause havoc online."

The primary idea here is to locate free and public online repositories of malicious software and to actually obtain a sample which will be later on used in a public sandbox for the purpose of mapping the Internet-connected infrastructure of the cybercrime gang in question including to actually elabore more on the ways they attempt to monetize the access to the compromised host including possibly ways in which they make money including to actually find out what exactly are they trying to compromise. Possible examples here include VirusTotal or actually running a malware interception honeypot such as for instance a spam trap which would allow you to intercept currently circulating in the wild malare campaigns that propagate using email and actually analyze them in terms of connecting the dots exposing their Internet-connected infrastructure and establishing the foundations for a successful career into the world of malicious software analysis and cybercrime research.

"Everything that can be seen is already there".

The next logical step would be to properly assess and analyze the recently obtained sample and to properly establish the foundation of a "connect the dots" culture within your organization where the primary goal would be to have researchers and analysts look for clues on their way to track down and monitor a specific campaign potentially coming up with new and novel cyber attack attribution research. Visualization is often the key to everything in terms of visualizing threats and looking for additional clues and possible cyber attack attribution clues where a popular visualization and threat analysis tool known as Maltego should come into play which basically offers an advanced and sophisticated way to process OSINT and cybercrime research and threat intelligence type of information and actually enrich it using public and proprietary sources of information for the purpose of establishing the big picture and actually connecting the dots for a specific cyber attack campaign.

Among the first things that you should consider before beginning your career in the World of OSINT is that everything that you need to know about a specific online event a specific online campaign that also includes the activities of the bad guys online is already out there in the form of publicly accessible information which should be only processed and enriched to the point where the big picture for a specific event or a malicious online campaign should be established using both qualitative and quantitative methodologies that also includes the process of obtaining access to the actual technical details and information behind a specific online event or an actual malicious and rogue online campaign.

Among the few key things to keep in mind when doing OSINT including actual OSINT for cyber attack and cyber campaign attack attribution is the fact that in 99% of the cases all the collection information that you need in terms of a specific case is already publicly known and is publicly accessible instead of having to obtain access to a private or a proprietary source of information and the only thing that you would have to do to obtain access to it is to use the World’s most popular search engine in terms of collection processing and enrichment.

The second most popular thing to keep in mind when doing OSINT is that you don’t need to obtain access to proprietary even public OSINT tools.

Current State of the Cybercrime Ecosystem

In 2021 a huge number of the threats facing the security industry including vendors and organizations online include RATs (Remote Access Tools) malicious software part of a larger bother malicious and fraudulent spam and phishing emails including client-side exploits and vulnerabilities which have the potential to exploit an organization or a vendor's end points for the purpose of dropping malware on the affected host including the rise of the ransomware threat which is basically an old fashioned academic concept known as cryptoviral extortion.

With more novice cybercriminals joining the underground ecosystem market segment largely driven by a set of newly emerged affiliate based revenue sharing fraudulent and malicious networks offering financial incentive for participation in a fraudulent scheme it shouldn't be surprising that more people are actually joining the cybercrime ecosystem potentially causing widespread damage and havoc online.

With cybercrime friendly forums continuing to proliferate it should be clearly evident that more people will eventually join these marketplaces potentially looking for new market segment propositions to take advantage of for the purpose of joining the cybercrime ecosystem and that more vendors will eventually continue to occupy and launch new underground forum market propositions for the purpose of promoting and looking for new clients for the services.

In a World dominated by a geopolitically relevant Internet cybercrime ecosystem it shouldn't be surpising that more international cybercrime gangs will eventually continue to launch new fraudulent and malicious spam and phishing campaigns that also includes malicious software campaigns for the purpose of earning fraudulent revenue.

With more affiliate based underground market segment based networks aiming to attract new uses where they would forward the risk for the actual infection process and fraudulent transaction to the actual user in exchange for offering access to sophisticated bulletproof infrastructure including advanced and sophisticated malware and ransomware releases it shouldn't be surprising that more people are actually joining these affiliate networks for the purpose of earning fraudulent revenue in the process of causing havoc and widespread disruption online.

---------------------

Overall I believe that the presentations from this event are worth watching and worth going through and I can't wait to actually participate in the Call for Papers for the upcoming virtual Summit.

Happy watching!

No comments:

Post a Comment