Upgrade to Pro — share decks privately, control downloads, hide ads and more …

In the Lair of the Beholder

In the Lair of the Beholder

Kyle Maxwell

July 08, 2015
Tweet

More Decks by Kyle Maxwell

Other Decks in Technology

Transcript

  1. External IOCs How to look? • Blacklists • WHOIS •

    Search engine automation • Malware repositories
  2. Blacklists Check popular “threat intel data feeds” using Combine plus

    Flail https://github.com/mlsecproject/combine https://github.com/krmaxwell/flail Games Workshop
  3. WHOIS Registration of domains relevant to brand or organization name

    http://modernfarmer.com/2013/06/cowglyphics-decoding-cattle-brands/
  4. Search Engine Automation Custom Search Engine for paste sites Google

    Alerts for key email addresses (executives, honeytokens, etc.)
  5. YARA Example (super naïve) rule verisign_email { strings: $email_domain =

    "@verisign.com" $common_email = "CPS-requests" condition: $email_domain and not $common_email }
  6. Automation “Scumblr is a web application that allows performing periodic

    searches and storing / taking actions on the identified results.” https://github.com/Netflix/Scumblr