In the Lair of the Beholder

Transcript

1. In the Lair of the Beholder Kyle Maxwell @kylemaxwell [email protected]

2. How this got started “Beholder” is Product Identity of Wizards

   of the Coast

3. External IOCs How to look? • Blacklists • WHOIS •

   Search engine automation • Malware repositories

4. OSINT is a lot like this

5. Blacklists Check popular “threat intel data feeds” using Combine plus

   Flail https://github.com/mlsecproject/combine https://github.com/krmaxwell/flail Games Workshop

6. WHOIS Registration of domains relevant to brand or organization name

   http://modernfarmer.com/2013/06/cowglyphics-decoding-cattle-brands/

7. Search Engine Automation Custom Search Engine for paste sites Google

   Alerts for key email addresses (executives, honeytokens, etc.)

8. Malware Repositories YARA: “The pattern matching swiss knife” http://plusvic.github.io/yara/ “Antivirus

   that you update using git pull” ~ @tomchop_

9. YARA Example (super naïve) rule verisign_email { strings: $email_domain =

   "@verisign.com" $common_email = "CPS-requests" condition: $email_domain and not $common_email }

10. Automation “Scumblr is a web application that allows performing periodic

    searches and storing / taking actions on the identified results.” https://github.com/Netflix/Scumblr

11. Lesson: Start off simple

12. Lesson: Evolve or die

13. Lesson: Work with others Professionals can usually provide richer details.

14. Discussion Thanks! @kylemaxwell [email protected]