Threat Intelligence(or lack therof…)

No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap - ShmooCon15

  • "In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to de the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I'll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.

Malware Information Sharing Platform

  • MISP - Malware Information Sharing Platform & Threat Sharing

Collective Intelligence Framework

  • "Our Flagship Project, is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity."

Collaborative Research Into Threats

  • CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and collaborating on threat data. In making CRITs free and open source, we can provide organizations around the world with the capability to quickly adapt to an ever-changing threat landscape. CRITs can be installed locally for a private isolated instance or shared among other trusted organizations as a collaborative defense mechanism.