Author Archives: Chris J

About Chris J

Chris J studies physical and information security. He started the Ann Arbor Chapter of TOOOL, attended Eastern Michigan University got a degree in Applied Information Assurance. Work involves Threat Intelligence.

Using FAIR with CTI (Intro)

Leave a reply

As I mentioned in the past, I taught a Graduate level Risk Management and Incident response course. In my first term, I was literally hired three days before the term started. The grad class was new, with no framework or anything else to build off of, and I had to build it on the fly.

So, I went with what I learned in grad school elsewhere, which was the NIST documentation. During my first term teaching the class, I kept telling myself there must be something better. NIST SP 800-53 and the related documents have been around for a while, yet we still see breaches. It builds a framework around an organization, but something is missing. With the frameworks in place, breaches still happen and missing ways to help prioritize objectives.

Driving home after teaching class one night, I heard an interview with Jack Jones talking about Factor Analysis in Information Risk (FAIR). It made sense, and FAIR can tie actual monetary loss to things. So, I got a copy of the book but didn’t change the class in the middle of the term; I just waited for the next term the class was offered (it was only offered once a year).

When going through “Measuring and Managing Information Risk: A FAIR approach” by Jack Freund and Jack Jones, the book mentioned Threat intelligence several times, asking the Threat Intelligence experts, working with threat intelligence vendors, etc. And that part spoke to me too. Using the FAIR framework creates better planning/requirements and direction steps to speak to the threats a company faces.

In FAIR, threats don’t mean all the uses that we have in IT/Cyber Security, which boils down to speaking to an adverse event or action when something is exploited or compromised. In FAIR, a Threat is someone or something that can take independent action against an asset in a way that changes value. That made sense, too;  it gave better, tighter definitions to work with.

As I read and thought more about FAIR, cybersecurity, and Threat Intelligence, I realized that Risk and Incident Response are two sides of the same coin. More or less. The Risk Management side is the expected annualized loss based on things happening. The Incident Response side is how an organization responds to materialized risk, or what the company does when the risk actually happens. And I thought about how Threat Intelligence plays into both Risk and Incident Response.

And while staring at the FAIR Framework, I came up with the below image. It is a modified version of the framework applied to areas of influence I see belonging in whole or in part to Threat Intelligence / Cyber Threat Intelligence showing the highlighted sections:

I’ll walk through the different parts and how I see Threat Intelligence’s role in each in future posts. They’re probably going to be mixed in with other things, but I’ll have a link page like I did the Building an OSINT box series that links to each part in order.

Prepping for a project

Leave a reply

I’m getting ready for a fun little project with a friend. Several years ago, while doing my undergrad, I got a copy of Chris Sander’s “Applied Network Security Monitoring.” I was going to do a book study group at school when it came out, but it turns out it was a required text for my Incident Response course.

Sadly, that class was a mess, and I don’t think we used the book in it at all. A different friend and I referenced the book to build a project for one of our other classes. We used it to build several honey pots, with what was supposed to be centralized logging. That, however, failed due to the Data Center we put the logging server in. The DC we picked for the log server didn’t allow logging to that DC for some reason. The other ones through the VPS provider would have worked fine. Just not that one. No clue why. We did complete the project with the honey pots but had to monitor each one instead of having central logs.

Anyway, talking about burnout recently with friend one mentioned above, we both feel burnt out. We don’t want to do anything computer-related after work. Studying, Udemy, Coursera, Hack-in-The-Box, Try Hack Me, scripting, blogging, etc. To get around this, we’re going to work through Applied Network Monitoring, and we’re also going to blog about it.
Before confirming this was the book and project we would do, we asked Chris Sanders via Twitter if the book material was still relevant. He said the concepts would be, but the tools would be different now.

It should be fun.

Once my friend gets his blog set up, I’ll link to it too. And yes, I know I still have some OpenFAIR/CTI/OSINT related content I want to blog about; see the comment about being burnt out above.

Open FAIR Exam Quick Follow-Up

Leave a reply

In my Passed the Open FAIR Exam post, I mentioned there were some issues with some of the questions on the exam not matching what I studied. Since I wrote the blog post, I printed and did quick reviews of the O-RA v2.0  and the O-RT v3.0.

The questions I remember struggling with did come from the newer versions of the Knowledge Body. So if you’re going to study for the Certification Exam, even though the Certification Page still lists the old documents, you’ll want to study the new standards.

Passed the Open FAIR Exam

Leave a reply

Last year, I took the RiskLens FAIR training course to learn the FAIR-U software before teaching FAIR as the Risk Management part of the graduate-level Risk Management and Incident Response class I taught [*]. The course came with an Open FAIR certification exam voucher.

 

 

 

 

 

 

After passing the GOSI in June, I took a few weeks off and started then studying for the Open FAIR certification exam. My study material and method was:

Now there is a new version of both the O-RT and the O-RA that came out this year. But after asking the member team at the FAIR Institute if I should get the new versions in case the test changed, they said I should be okay using the older material.

After taking the exam about six weeks after asking that question, I think I should have studied the new versions, even though the other study material doesn’t appear updated yet. Some of the questions on the exam didn’t make sense, and  I suspect they reflected the change in the new versions of the O-RT and the O-RA. I need to check that, but I wanted a few days of downtime to read other things.

[*] I’m not teaching this term; part-time lectures are used to fill classes that the department doesn’t have Full or Part-Time professors (Ph.D.) for courses. The department has also been hiring more Ph. Ds the last few years, so there are more of them now, meaning they need fewer lectures. It also means I have more free time to work on personal things. While the job says part-time, I spent more time doing class-related administrative work than I did my Full-Time Day Job.

* Update 2024-10-06: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

Passed the GOSI

Leave a reply

As usual, I have a lot on my plate. So I don’t get to blog as much as I’d like. Then again, I haven’t had a cool project to work on for a while. Just going through skilling up on things. Back in March, I mentioned I took the SANS Security 487 course, Open Source (OSINT) Gathering and Analysis. For the last month or so, I’ve been studying for the exam.

So that’s a thing. Second SANS class taken, second GIAC exam passed. I’d share the embedded link, but it gives too much personal information away. So all that is here is the certification badge they provide.

 

 

 

 

 

 

 

Next up is going to be the Open FAIR certification. I went through the training on my own dime last year, and I’ve been slowly studying for that one since last year. I’m planning to schedule the test for mid-August.

For SANS/GIAC, next on my radar will probably be Sec 504 / GCIH.

After that, I’m still interested in the Python classes. Both Sec 573 Automating Information Security with Python and Sec 537 Practical Open-Source Intelligence (OSINT) Analysis and Automation.

They added a new one for OSINT, and I’m wondering how much overlap with the Automating OSINT by Justin Seitz there is.

I’m also interested in LEG52: Law of Data Security and Investigations and MGT512: Security Leadership Essentials for Managers. Both of those are for personal reasons. But in all the years I’ve been around the industry, I’ve only gotten to go two SANS classes, so it will probably take a while.

SANS Security 487

Leave a reply

I recently took the SANS Security 487, Open-Source Intelligence (OSINT) Gathering and Analysis, course with Micah Hoffman. Now, I need to get started on the associated GIAC Open Source Intelligence (GOSI) exam prep.

When I put my training request in, my manager pointed out I could probably pass the exam without the course. Maybe my manager was right, but I like a good refresher course every once in a while.

Continue reading

More NAS Fun

Leave a reply

We live, we learn. A year ago, I had this post about my raspi-NAS failing. One of the things I said was I’d look into building a real RAID 1 based NAS on a Raspberry Pi.

Yeah, researching that subject while rebuilding my home network a few weeks ago, I found out that USB and RAID don’t work together like that. So, if I want a NAS with RAID, I’d have to do something else. Like a rack-mounted server running FreeNAS. Yes, I know it’s being rebranded TrueNAS Core.

I tried Open Media Vault (OMV) with my existing powered external hard drives. It didn’t like them. OVM could see the drives but wouldn’t let me do anything other than formatting them.

I’m sorry, I’m not interested in losing all my data. So I just set up the Raspberry Pi to run Samba again. It works fine.

I might try to rerun OVM someday when I have free time and free hardware to set it up, but I have a long list of things to do before then.

Rebuilding my Chromebook’s Linux Envionment

Leave a reply

My regular travel laptop is a 15-inch Lenovo running Gnu/Linux. A couple of years ago, I decided to get something a little smaller, lighter, and cheaper. I didn’t want to take the 15-inch laptop if I didn’t need to. I use it mostly for conference presenting and running VMs. Replacing it would be a pain.

I ended up getting an Acer Chromebook 11, the C740 model, for vacation and easier travel. I liked that model because you could replace the original storage with something larger by swapping out the SSD. I also like dit because I could install Debian to it with Crouton.

I set up the device up to Debian Buster and the xfce4-desktop. Other than not using the device enough to remember all commands to launch the chroot Linux environment, it worked well. To help remember how to launch Linux, I have the following saved

to a text file on the device.

Since it had been a bit since I used the Chromebook, I thought I would upgrade it. Heck, it was going to get an update from Google anyway. The upgrade started ok but went off the rails.

Continue reading

Intelligence – Garbage In, Gospel Out

Leave a reply

I don’t remember which podcast or who said it, but “Garbage In Gospel Out” is so true. Especially when talking about Cyber Threat Intelligence. I talked a little about this before, both in conference talks and in Validate Data Before Sharing.

But here it is, three years later, and the problem remains. I’m willing to say it is getting worse. We’re not running full life cycles, either Intelligence or Incident Response. We get to the collection phase and call it done. NixIntel has a good post on that at their blog.

Continue reading

Current Python Working Environment.

Leave a reply

Over the last nine to ten months, I’ve changed how I’ve been using Python, again.

Working environment:

I work in either Debian or Xubuntu Linux, or Windows Subsystem Linux (WSL) Debian. I prefer Debian on bare metal hardware. The VMs I use at work are usually Xubuntu (faster, easier setup). Work’s laptop has Windows 10 Enterprise on it, which is where WSL comes in.

Continue reading