SlideShare uma empresa Scribd logo

Creating REAL Threat Intelligence with Evernote at TakeDownCon CA on June 2, 2015

grecsl
grecsl

In the presentation that threat intel vendors do not want you to see, threat data from open source and home grown resources meets Evernote as the ultimate braindump repository with the outcome of producing real actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses an experiment of using Evernote as a informal threat intelligence management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered include the advantages of using an open and flexible platform that can be molded into an open/closed source threat data repository, an information sharing platform, and an incident management system. Although using Evernote in this way in large enterprises is probably not possible, organizations can apply the same reference implementation to build similarly effective systems using open source or commercial solutions. And yeah … threat intel vendors still hold a role in ultimate threat intelligence nirvana but there is a lot you should do on your own first in order to better understand your requirements in searching for that ideal partner.

Tecnologia
1 de 39
Creating REAL Threat Intelligence with Evernote @grecs – NovaInfosec.com
Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers, customers, etc. NovaInfosec.com@grecs,
NovaInfosec.com@grecs,
20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
NovaInfosec.com@grecs,
Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training NovaInfosec.com@grecs,
Agenda • Premise • Beginnings • Pivot • 3 Legs of Threat Intel • Evernote as an Intel Repo • Alternatives • Future NovaInfosec.com@grecs,
PREMISE Over Engineering Build (at least try to) Before Buy NovaInfosec.com@grecs,
Premise Over Engineering • Tendency to Over Complicate • Keep It Simple Stupid • What Can We Do Quick & Dirty that Will Get Us 60- 70% of the Way There? • Onboarding Workflow System Example Solution Fine As Is Est. Requs. to Develop Eventual Solution
Premise Build (at least try to) Before Buy • Before Buying New Commercial Solution – Try Quick & Dirty Solution In-House First • Use Tools Already Have & All Familiar With • Setup Good Set of Processes Since Lacks Safety Checks • Have Smart People Actually Use Solution for 6-12 Mos. • Continually Evolve Processes with Lessons Learned – Maybe that Will Solve Your Needs – Else Understand What REALly Need  Commercial • Invest in People & Process 1st, then Products Case In Point:Threat Intel Services NovaInfosec.com@grecs,
BEGINNINGS Dashboard 1.0 Dashboard 2.0 Dashboard 3.0 Take-Aways NovaInfosec.com@grecs,
Beginnings Dashboard 1.0 • SOC Security Engineer Position Many Years Ago Working to Create Dashboards • Wanted to Measure Risk • Use Traditional Risk Equation – Vulnerability Data Based on Patch & Other Tools – Threat? Decided to Use Vendor Threat Levels (e.g., SANS INFOCON, Symantec – normalize and average) Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
Beginnings Dashboard 2.0 – Google Reader, iGoogle, Feedly
Beginnings Dashboard 3.0 • Moved from Feedly to Netvibes Since Designed Ground Up as Dashboard • Added “Cyber Intel” Tab with Sources Still Active from Feedly Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
Beginnings Dashboarding Take-Aways • Nice for “Blog” Post Feeds • Tough to Follow for Data-Driven Feeds – Changing Too Fast – Feedly Pro – NetVibes VIP • Keep All Feed Data & Searchable • Expensive for One-Off Analyst Resource • Introduce Concept of One “Bucket” to Dump All Into • Doesn’t Work for Periodically Updated Data Files Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
PIVOT Meanwhile… Rebaseline The Secret Weapon Ah Ha NovaInfosec.com@grecs,
Pivot Meanwhile… • Threat Intel Market Growing – Investigating Threat Intel – Consulted Experts & Users of Threat Intel Services • Basic Take-Aways – Fascinating Area with Lots of Cool Things Mathematically Correlated Together in Some Fancy Big Data Model – Not Much Value Beyond Open Source Resources – A Lot of Data Not Relevant to Organization • Dashboard – Was onto Something – Pulling all Open Source Info Together NovaInfosec.com@grecs,
Pivot Rebaseline • NetVibes VIP but Cheaper & More Flexible • Bucket to Dump All Data Into – Blog/Other Feeds – Data-Driven Feeds – Data Files – Other (anything else find – e.g., APT reports) • Easily Find Data – Searchable – Categories – Tagging for Viewing in Different Ways • Cloud-Based So Wouldn’t Have to Maintain & Accessible Everywhere – Email Folder (like in old days but too kludgy) – Log/Data Aggregation Tools NovaInfosec.com@grecs,
Pivot The Secret Weapon • Method for Using Evernote as GTD-Based Task Mgmt System – Treat Evernote Like a Database – Notebook == Table – Note == Free Form Record • Organization – Nested Notebooks – Hierarchical Tagging (provide metadata structure) • What  Projects • When  Importance – e.g., 0-6 • Where  E.g., home, work, etc. • Who  E.g., people that action has to do with • Combination Above • Search – ~ Notebook, Tag, Keyword, or Combination Thereof – Saved Searches NovaInfosec.com@grecs,
Pivot The Secret Weapon – Customization • Identifier Symbols for Each W* Category • Carry Through of W* Symbols into Sub-Tags • Included “.” after Symbols to Mark Headings NovaInfosec.com@grecs,
3 LEGS OF THREAT INTEL Open Source Intelligence Information Sharing Case Tracking Existing Solutions NovaInfosec.com@grecs,
3 Legs of Threat Intel Open Source Intelligence • Boils Down to – Indictors (e.g., IPs, Domains , URLs, Hashes, Email Addresses, … ) – Reports (e.g., vendor dossiers on threat TTPs) • Historically Lots of Open Source Resources – MalwareDomainList – Zeus Tracker – SSL Blacklist – … • Don’t Forget Social Networks (e.g., certain people/resources on Twitter) • Mix in Organizational Data as Well to Enrich (e.g., honeypots) • Commercial (but let’s get the free stuff down first to define requirements) • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps a Shared Evernote Notebook Using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
3 Legs of Threat Intel Intel Sharing • Groups – ISACs (FS-ISAC, MS-ISAC, DIB-ISAC, …) – DIB – Infragard • Historically – Email List – Bulletin Boards • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps a Shared Evernote Notebook Using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
3 Legs of Threat Intel Case Tracking • Pretty Simple with Many Workflow Systems Out There – Open New Case – Work It Periodically Adding Comments of What Done – Eventually Gets Closed • Many Existing Solutions – Remedy – RT – SharePoint • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps an Evernote Notebook using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
3 Legs of Threat Intel Existing Solutions • Open Source Intelligence – Open Source: CRITS, CIF – Vendors Incorporating into Products • Intel Sharing – Email Lists, Bulletin Boards – Starting to Distribute in Standardized Format (TAXII, STIX) • Case Management – Open Source: RT, eTicket, Help Desk Lite, … – Commercial: Remedy, SharePoint • All-In-One – ThreatConnect (free to join; in cloud and on-premises) • Overall – Lots of Point Solutions But Not Flexible – Ease of Use (CEO down to analyst) – Centralized Database to Record All this Information Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
EVERNOTE AS AN INTEL REPO Ah Ha OSINT Intel Sharing Case Tracking Summary Other Tricks EN Search Alternatives NovaInfosec.com@grecs,
Evernote as an Intel Repo Ah Ha • Define Notebooks & Hierarchical Tags for Metadata • Perfect Open & Flexible Framework to Build Off Of • Easy to Use Over Heavy Database or Workflow Management System • Start Dumping All Feeds/Data into Evernote Bucket Dashboarding + Secret Weapon + Threat Intel = Evernote as an Intel Repo NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT • Archive of Organization Relevant Data from Open Source Resources • Benefits – Database Can Search and Pivot Around In – Annotation of Notes • Dumping – Automated via Feeds – Clip into Evernote with Browser Add-On • Recommended Tagging Structure NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT • Threat Data/Intel – MalwareDomainList (RSS feed) – Zeus Tracker (RSS feed) – SSL Blacklist (RSS feed) – Malware-Analysis Traffic (RSS feed) • Vulnerability – Offensive Security Exploit Database (RSS feed) – NIST NVD CVE (RSS feed) – US CERT All Products (RSS feed) • Situational Awareness – SANS ISC Blog (RSS feed) NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT NovaInfosec.com@grecs,
Evernote as an Intel Repo OSINT - Automation • Email into Evernote – Sign Up for Service Using Evernote Email • IFTTT/Zapier for RSS Feeds – Easily to Implement – Limit of Only Getting Partial Data – Write Own RSS Scraper / FiveFilter • IFTTT/Zapier with Email Integration – Helps Some if Offer Mailing List with Full Data • StormStack - Open Source Clone+ of IFTTT • Scripts – E.g., Retrieve Files & Insert into Evernote • CIF Feeds NovaInfosec.com@grecs,
Evernote as an Intel Repo Intel Sharing • Intel Sharing – Shared Evernote Notebook for Partner Group – Create Note, Place in Shared Notebook to Distribute, & Use Standard Tags to Track • Case Tracking – Evernote Notebook with a Note per Investigation – Establish Note Template with – Tags to Id Workflow (e.g., Open, Working, Closed) NovaInfosec.com@grecs,
Evernote as an Intel Repo Summary !.When ].What @.Where ^.Who Case Tracking !.Case Tracking !High !Medium !Low ** ].Case Tracking ]CAS10000 ]CAS10001 … @.Case Tracking @Inbox @Working @Closed ^.Case Tracking Intel Sharing ** ].Intel Sharing ]SHA10000 ]SHA10001 … @.Intel Sharing @New @Relevant @Irrelevant) ^.Intel Sharing ^FS-ISAC OSINT DB ** ].OSINT DB ]OSI10000 ]OSI10001 … @.OSINT DB @New @Useful @Useless ^.OSINT DB ^NIST ^Abuse.ch … Only Tag if Relevant Primary Tags (**) Used to Cross-Ref Source or Who Added/Upd Workflow or State Reference Number Priority, Confidence, Rep
Evernote as an Intel Repo Other Tricks • Create New Meta-Notes that Pull Together Existing Notes (e.g., several OSINT notes, intel from partners, and cases assigned) • One-Off “Other” Tags to Pull Together Any Notes • Alternative Tagging Structures: Adversaries, Campaigns, Waves, Individual Attacks, Indicator DB, … NovaInfosec.com@grecs,
Evernote as an Intel Repo EN Search • How to Find Find All Data Threw into Evernote • Tags • Basic Search • Advanced Search – Specific Notebooks, Tags, Terms, Dates – “AND” Boolean Support • Example – Search for IP & Find Note – Run Secondary Search Around that Timeline – Discovery Similar Happenings • Saved Searches (e.g., Case Tracking) NovaInfosec.com@grecs,
Evernote as an Intel Repo Alternatives • Log Management Solutions • SIEMs • Others
Evernote as an Intel Repo Future • More/Improved OSINT Resources – Deconflict Sites with Multiple Feeds & Add if Needed – File Base Pulls (script / replace existing RSS) – Vendor APT Reports – News Blogs - Track Happenings Around Specific Period – Integration with CIF to Centralize/Tag Data • Improved/Formalized Tagging Structures • API Automation (e.g., auto tagging IP addresses) • EaaS (Evernote as a SIEM ;) )
Conclusion • Lots of Point Solutions but None Bring Together Like Good ‘ol Evernote • Start with Evernote to “Figure Stuff Out" • In End Determine REAL Requirements – Solution Fine As Is – Build In-House/Buy Commercial Full Out Solution NovaInfosec.com@grecs,
Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting

Recomendados

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa ProtocolUVA Slideshare
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании ViaАлександр Шаповалов
 
Filter part list
Filter part listFilter part list
Filter part listJ2smartceo
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования ViaАлександр Шаповалов
 
Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]J2smartceo
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvestingMiqdad Tharammal
 

Recomendados

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
 
UVa Protocol
UVa ProtocolUVa Protocol
UVa ProtocolUVA Slideshare
 
презентация компании Via
презентация компании Viaпрезентация компании Via
презентация компании ViaАлександр Шаповалов
 
Filter part list
Filter part listFilter part list
Filter part listJ2smartceo
 
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015Defending the Enterprise with Evernote at SourceBoston on May 27, 2015
Defending the Enterprise with Evernote at SourceBoston on May 27, 2015grecsl
 
презентация оборудования Via
презентация оборудования Viaпрезентация оборудования Via
презентация оборудования ViaАлександр Шаповалов
 
Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]Undersink water purifier [호환 모드]
Undersink water purifier [호환 모드]J2smartceo
 
Rain water harvesting
Rain water harvestingRain water harvesting
Rain water harvestingMiqdad Tharammal
 
Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandmentsChayanid Eiamsathaporn
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich showerJ2smartceo
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Bridges
BridgesBridges
BridgesDeewas Kharka
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Mais conteúdo relacionado

Destaque

Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...grecsl
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...grecsl
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...grecsl
 
Green rich shower
Green rich showerGreen rich shower
Green rich showerJ2smartceo
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 

Destaque (7)

Dog 10 commandments
Dog 10 commandmentsDog 10 commandments
Dog 10 commandments
 
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
Project KidHack - Teaching Kids Security through Gaming at BSidesTampa on Feb...
 
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...Project KidHack – Teaching the Next Next Generation Security through Gaming a...
Project KidHack – Teaching the Next Next Generation Security through Gaming a...
 
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...
 
Green rich shower
Green rich showerGreen rich shower
Green rich shower
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Bridges
BridgesBridges
Bridges
 

Mais de grecsl

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 

Mais de grecsl (6)

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 

Último

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Creating REAL Threat Intelligence with Evernote at TakeDownCon CA on June 2, 2015

  • 1. Creating REAL Threat Intelligence with Evernote @grecs – NovaInfosec.com
  • 2. Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers, customers, etc. NovaInfosec.com@grecs,
  • 4. 20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
  • 6. Consulting • 20 Years Industry/Infosec Experience • Security Engineering/ Architecture • SOC 2.0/Transformation • Security Training NovaInfosec.com@grecs,
  • 7. Agenda • Premise • Beginnings • Pivot • 3 Legs of Threat Intel • Evernote as an Intel Repo • Alternatives • Future NovaInfosec.com@grecs,
  • 8. PREMISE Over Engineering Build (at least try to) Before Buy NovaInfosec.com@grecs,
  • 9. Premise Over Engineering • Tendency to Over Complicate • Keep It Simple Stupid • What Can We Do Quick & Dirty that Will Get Us 60- 70% of the Way There? • Onboarding Workflow System Example Solution Fine As Is Est. Requs. to Develop Eventual Solution
  • 10. Premise Build (at least try to) Before Buy • Before Buying New Commercial Solution – Try Quick & Dirty Solution In-House First • Use Tools Already Have & All Familiar With • Setup Good Set of Processes Since Lacks Safety Checks • Have Smart People Actually Use Solution for 6-12 Mos. • Continually Evolve Processes with Lessons Learned – Maybe that Will Solve Your Needs – Else Understand What REALly Need  Commercial • Invest in People & Process 1st, then Products Case In Point:Threat Intel Services NovaInfosec.com@grecs,
  • 11. BEGINNINGS Dashboard 1.0 Dashboard 2.0 Dashboard 3.0 Take-Aways NovaInfosec.com@grecs,
  • 12. Beginnings Dashboard 1.0 • SOC Security Engineer Position Many Years Ago Working to Create Dashboards • Wanted to Measure Risk • Use Traditional Risk Equation – Vulnerability Data Based on Patch & Other Tools – Threat? Decided to Use Vendor Threat Levels (e.g., SANS INFOCON, Symantec – normalize and average) Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 13. Beginnings Dashboard 2.0 – Google Reader, iGoogle, Feedly
  • 14. Beginnings Dashboard 3.0 • Moved from Feedly to Netvibes Since Designed Ground Up as Dashboard • Added “Cyber Intel” Tab with Sources Still Active from Feedly Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 15. Beginnings Dashboarding Take-Aways • Nice for “Blog” Post Feeds • Tough to Follow for Data-Driven Feeds – Changing Too Fast – Feedly Pro – NetVibes VIP • Keep All Feed Data & Searchable • Expensive for One-Off Analyst Resource • Introduce Concept of One “Bucket” to Dump All Into • Doesn’t Work for Periodically Updated Data Files Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 17. Pivot Meanwhile… • Threat Intel Market Growing – Investigating Threat Intel – Consulted Experts & Users of Threat Intel Services • Basic Take-Aways – Fascinating Area with Lots of Cool Things Mathematically Correlated Together in Some Fancy Big Data Model – Not Much Value Beyond Open Source Resources – A Lot of Data Not Relevant to Organization • Dashboard – Was onto Something – Pulling all Open Source Info Together NovaInfosec.com@grecs,
  • 18. Pivot Rebaseline • NetVibes VIP but Cheaper & More Flexible • Bucket to Dump All Data Into – Blog/Other Feeds – Data-Driven Feeds – Data Files – Other (anything else find – e.g., APT reports) • Easily Find Data – Searchable – Categories – Tagging for Viewing in Different Ways • Cloud-Based So Wouldn’t Have to Maintain & Accessible Everywhere – Email Folder (like in old days but too kludgy) – Log/Data Aggregation Tools NovaInfosec.com@grecs,
  • 19. Pivot The Secret Weapon • Method for Using Evernote as GTD-Based Task Mgmt System – Treat Evernote Like a Database – Notebook == Table – Note == Free Form Record • Organization – Nested Notebooks – Hierarchical Tagging (provide metadata structure) • What  Projects • When  Importance – e.g., 0-6 • Where  E.g., home, work, etc. • Who  E.g., people that action has to do with • Combination Above • Search – ~ Notebook, Tag, Keyword, or Combination Thereof – Saved Searches NovaInfosec.com@grecs,
  • 20. Pivot The Secret Weapon – Customization • Identifier Symbols for Each W* Category • Carry Through of W* Symbols into Sub-Tags • Included “.” after Symbols to Mark Headings NovaInfosec.com@grecs,
  • 21. 3 LEGS OF THREAT INTEL Open Source Intelligence Information Sharing Case Tracking Existing Solutions NovaInfosec.com@grecs,
  • 22. 3 Legs of Threat Intel Open Source Intelligence • Boils Down to – Indictors (e.g., IPs, Domains , URLs, Hashes, Email Addresses, … ) – Reports (e.g., vendor dossiers on threat TTPs) • Historically Lots of Open Source Resources – MalwareDomainList – Zeus Tracker – SSL Blacklist – … • Don’t Forget Social Networks (e.g., certain people/resources on Twitter) • Mix in Organizational Data as Well to Enrich (e.g., honeypots) • Commercial (but let’s get the free stuff down first to define requirements) • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps a Shared Evernote Notebook Using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 23. 3 Legs of Threat Intel Intel Sharing • Groups – ISACs (FS-ISAC, MS-ISAC, DIB-ISAC, …) – DIB – Infragard • Historically – Email List – Bulletin Boards • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps a Shared Evernote Notebook Using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 24. 3 Legs of Threat Intel Case Tracking • Pretty Simple with Many Workflow Systems Out There – Open New Case – Work It Periodically Adding Comments of What Done – Eventually Gets Closed • Many Existing Solutions – Remedy – RT – SharePoint • Big Need – Centralized Database to Record All this Information – Mmm? Perhaps an Evernote Notebook using Tags to Track? Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 25. 3 Legs of Threat Intel Existing Solutions • Open Source Intelligence – Open Source: CRITS, CIF – Vendors Incorporating into Products • Intel Sharing – Email Lists, Bulletin Boards – Starting to Distribute in Standardized Format (TAXII, STIX) • Case Management – Open Source: RT, eTicket, Help Desk Lite, … – Commercial: Remedy, SharePoint • All-In-One – ThreatConnect (free to join; in cloud and on-premises) • Overall – Lots of Point Solutions But Not Flexible – Ease of Use (CEO down to analyst) – Centralized Database to Record All this Information Creating REAL Threat Intelligence with Evernote NovaInfosec.com@grecs,
  • 26. EVERNOTE AS AN INTEL REPO Ah Ha OSINT Intel Sharing Case Tracking Summary Other Tricks EN Search Alternatives NovaInfosec.com@grecs,
  • 27. Evernote as an Intel Repo Ah Ha • Define Notebooks & Hierarchical Tags for Metadata • Perfect Open & Flexible Framework to Build Off Of • Easy to Use Over Heavy Database or Workflow Management System • Start Dumping All Feeds/Data into Evernote Bucket Dashboarding + Secret Weapon + Threat Intel = Evernote as an Intel Repo NovaInfosec.com@grecs,
  • 28. Evernote as an Intel Repo OSINT • Archive of Organization Relevant Data from Open Source Resources • Benefits – Database Can Search and Pivot Around In – Annotation of Notes • Dumping – Automated via Feeds – Clip into Evernote with Browser Add-On • Recommended Tagging Structure NovaInfosec.com@grecs,
  • 29. Evernote as an Intel Repo OSINT • Threat Data/Intel – MalwareDomainList (RSS feed) – Zeus Tracker (RSS feed) – SSL Blacklist (RSS feed) – Malware-Analysis Traffic (RSS feed) • Vulnerability – Offensive Security Exploit Database (RSS feed) – NIST NVD CVE (RSS feed) – US CERT All Products (RSS feed) • Situational Awareness – SANS ISC Blog (RSS feed) NovaInfosec.com@grecs,
  • 30. Evernote as an Intel Repo OSINT NovaInfosec.com@grecs,
  • 31. Evernote as an Intel Repo OSINT - Automation • Email into Evernote – Sign Up for Service Using Evernote Email • IFTTT/Zapier for RSS Feeds – Easily to Implement – Limit of Only Getting Partial Data – Write Own RSS Scraper / FiveFilter • IFTTT/Zapier with Email Integration – Helps Some if Offer Mailing List with Full Data • StormStack - Open Source Clone+ of IFTTT • Scripts – E.g., Retrieve Files & Insert into Evernote • CIF Feeds NovaInfosec.com@grecs,
  • 32. Evernote as an Intel Repo Intel Sharing • Intel Sharing – Shared Evernote Notebook for Partner Group – Create Note, Place in Shared Notebook to Distribute, & Use Standard Tags to Track • Case Tracking – Evernote Notebook with a Note per Investigation – Establish Note Template with – Tags to Id Workflow (e.g., Open, Working, Closed) NovaInfosec.com@grecs,
  • 33. Evernote as an Intel Repo Summary !.When ].What @.Where ^.Who Case Tracking !.Case Tracking !High !Medium !Low ** ].Case Tracking ]CAS10000 ]CAS10001 … @.Case Tracking @Inbox @Working @Closed ^.Case Tracking Intel Sharing ** ].Intel Sharing ]SHA10000 ]SHA10001 … @.Intel Sharing @New @Relevant @Irrelevant) ^.Intel Sharing ^FS-ISAC OSINT DB ** ].OSINT DB ]OSI10000 ]OSI10001 … @.OSINT DB @New @Useful @Useless ^.OSINT DB ^NIST ^Abuse.ch … Only Tag if Relevant Primary Tags (**) Used to Cross-Ref Source or Who Added/Upd Workflow or State Reference Number Priority, Confidence, Rep
  • 34. Evernote as an Intel Repo Other Tricks • Create New Meta-Notes that Pull Together Existing Notes (e.g., several OSINT notes, intel from partners, and cases assigned) • One-Off “Other” Tags to Pull Together Any Notes • Alternative Tagging Structures: Adversaries, Campaigns, Waves, Individual Attacks, Indicator DB, … NovaInfosec.com@grecs,
  • 35. Evernote as an Intel Repo EN Search • How to Find Find All Data Threw into Evernote • Tags • Basic Search • Advanced Search – Specific Notebooks, Tags, Terms, Dates – “AND” Boolean Support • Example – Search for IP & Find Note – Run Secondary Search Around that Timeline – Discovery Similar Happenings • Saved Searches (e.g., Case Tracking) NovaInfosec.com@grecs,
  • 36. Evernote as an Intel Repo Alternatives • Log Management Solutions • SIEMs • Others
  • 37. Evernote as an Intel Repo Future • More/Improved OSINT Resources – Deconflict Sites with Multiple Feeds & Add if Needed – File Base Pulls (script / replace existing RSS) – Vendor APT Reports – News Blogs - Track Happenings Around Specific Period – Integration with CIF to Centralize/Tag Data • Improved/Formalized Tagging Structures • API Automation (e.g., auto tagging IP addresses) • EaaS (Evernote as a SIEM ;) )
  • 38. Conclusion • Lots of Point Solutions but None Bring Together Like Good ‘ol Evernote • Start with Evernote to “Figure Stuff Out" • In End Determine REAL Requirements – Solution Fine As Is – Build In-House/Buy Commercial Full Out Solution NovaInfosec.com@grecs,
  • 39. Questions? • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact o Questions/Consulting