This presentation has been delivered during the CyberCon AISA in Melbourne. It talks about threat intelligence and open source technologies including OpenCTI, ELK and Jupyter.
allows you to prevent or mitigate cyberattacks. • Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like: • Who is attacking you? • What their motivations and capabilities? • What IOCs in your system to look for?
Persistent Threat, Threat Actors • Tactics, Techniques and Procedures • Vulnerability reports Define your requirements. Understand international relations and the geopolitical context.
Create Yara, Sigma, Snort Rules • Identify code similarities • Search for infrastructure overlap & passive DNS • MassScanning to uncover new C2s • Set up honeypots • Get information from private sources Understand victimology: • Who/where are the targets? Which sectors? • Make the connections to past attacks. • Find a link with the geopolitical context.
the data Track IOCs and TTPS Analyze different kind of data, such as data leaks, OSINT… Empower analysts with ready to use tools Articulate everything and build your Threat Intel Practice
to classify and track threat actors • Can be used to document actors, campaigns, tools and more… • Modules can be easily added in Python for enrichment. • API available for automations. • OpenCTI - Open platform for cyber threat intelligence
powerful tool to analyse data. • The data can be ingested via LogStash. • Kibana is used for creating dashboards and visualisation. • ELK can be useful for all kind of data analysis. • Data Leaks • Detection Logs • Monitoring • Anything else Data Logstash Elasticsearch Kibana Data Processing Storage Visualization *Logstash, Elasticsearch and Kibana are trademark of Elasticsearch BV, registered in the U.S. and in other countries.
Extracting Indicators of Activity (IOA) from logs and unpack encoded data Performing analysis such as anomalous session detection and time series decomposition Visualizing data using interactive timelines; process trees and multidimension Morph Charts Enriching data with TI, geolocalisation…
Threat Intelligence is the process of sorting and making sense of all the data. Threat Intelligence requires trained people. Open-source technologies can help and bolster your teams during investigation and analysis. Centralised platforms are great for getting a common knowledge base. Python and Jupyter empowers analysts and make sense of the stored data.