Tag Archives: Threat Intelligence

Validate data, before sharing.

I’m going to have to add a couple more slides to my Threat Intelligence: From Zero to Basics deck. But I told GrrCON that I would have an updated deck from Circle City Con anyway.

Over the last two weeks I’ve seen some stuff shared publicly in Threat Intelligence Platforms, that really shouldn’t have been. The data wasn’t valid, at the time of sharing.

Continue reading

Read “Effective Threat Intelligence: Building and running an intel team for your organization”.

Recently I read the kindle version of “Effective Threat Intelligence: Building and running an intel team for your organization” by James Dietle. I found out after the fact there was a paper back version of it, and even gave one copy away as a Christmas present.

Anyway, this is the book I wish I had in January of 2016, when  I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.

I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578,  I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.

 

 

You can’t buy threat intelligence, or yet another “article” on Data vs Information Vs Intelligence.

The background:
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.

In the tweet list was a tweet was from Alex Pinto asking ‘how many more #ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’

So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.

The Problem:
Companies are selling data feeds while calling it intelligence.

Continue reading

SANS Forensics 578

Work recently sent me to SANS Forensics 578, Cyber Threat Intelligence. This was my first SANS class ever, and it was pretty good. The instance of the class I was sent to was presented by Jake Williams and Rebekah Brown. I think having both of them teach the class was great, because it gave more from the trenches view than having just one of them as an instructor.

Continue reading