Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
In the Lair of the Beholder
Search
Kyle Maxwell
July 08, 2015
Technology
0
100
In the Lair of the Beholder
Kyle Maxwell
July 08, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
Using Python to Fight Cybercrime
krmaxwell
2
220
Incident Patterns
krmaxwell
0
430
Hackertainment
krmaxwell
1
230
Threat Intelligence for Incident Response
krmaxwell
0
180
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
210
Open Source Threat Intelligence - Shakacon
krmaxwell
1
890
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
160
Other Decks in Technology
See All in Technology
Biz職でもDifyでできる! 「触らないAIワークフロー」を実現する方法
igarashikana
7
3.1k
Zephyr(RTOS)にEdge AIを組み込んでみた話
iotengineer22
1
320
知覚とデザイン
rinchoku
1
480
QA業務を変える(!?)AIを併用した不具合分析の実践
ma2ri
0
130
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
5
43k
生成AI時代のPythonセキュリティとガバナンス
abenben
0
120
OSSで50の競合と戦うためにやったこと
yamadashy
3
960
今この時代に技術とどう向き合うべきか
gree_tech
PRO
2
2.2k
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
3k
Azureコストと向き合った、4年半のリアル / Four and a half years of dealing with Azure costs
aeonpeople
1
270
様々なファイルシステム
sat
PRO
0
230
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
140
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
331
21k
Become a Pro
speakerdeck
PRO
29
5.6k
Practical Orchestrator
shlominoach
190
11k
Raft: Consensus for Rubyists
vanstee
140
7.2k
The Cult of Friendly URLs
andyhume
79
6.6k
Keith and Marios Guide to Fast Websites
keithpitt
411
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
130k
Typedesign – Prime Four
hannesfritz
42
2.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
RailsConf 2023
tenderlove
30
1.3k
The Invisible Side of Design
smashingmag
302
51k
GraphQLとの向き合い方2022年版
quramy
49
14k
Transcript
In the Lair of the Beholder Kyle Maxwell @kylemaxwell
[email protected]
How this got started “Beholder” is Product Identity of Wizards
of the Coast
External IOCs How to look? • Blacklists • WHOIS •
Search engine automation • Malware repositories
OSINT is a lot like this
Blacklists Check popular “threat intel data feeds” using Combine plus
Flail https://github.com/mlsecproject/combine https://github.com/krmaxwell/flail Games Workshop
WHOIS Registration of domains relevant to brand or organization name
http://modernfarmer.com/2013/06/cowglyphics-decoding-cattle-brands/
Search Engine Automation Custom Search Engine for paste sites Google
Alerts for key email addresses (executives, honeytokens, etc.)
Malware Repositories YARA: “The pattern matching swiss knife” http://plusvic.github.io/yara/ “Antivirus
that you update using git pull” ~ @tomchop_
YARA Example (super naïve) rule verisign_email { strings: $email_domain =
"@verisign.com" $common_email = "CPS-requests" condition: $email_domain and not $common_email }
Automation “Scumblr is a web application that allows performing periodic
searches and storing / taking actions on the identified results.” https://github.com/Netflix/Scumblr
Lesson: Start off simple
Lesson: Evolve or die
Lesson: Work with others Professionals can usually provide richer details.
Discussion Thanks! @kylemaxwell
[email protected]