intelligence

Here’s a familiar scenario: A new threat is being whispered about. Maybe your office has someone with special access of some kind and they’re being a bit more secret squirrely than usual. The mailing lists you’re on are a buzz about a new piece of malware or vendor code name. You keep hearing about a paid only report that tells all. APT 46: EMPEROR PENGUIN is coming! When your boss asks about EMPEROR PENGUIN you have to say you don’t know much… but you’ve heard they’re very good, very advanced, well funded, with great opsec… obviously a serious threat aimed at hard targets (which your organization obviously is)....

A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked....

Kremlin from the River. Source: Wikipedia. Here it is. After weeks of wondering if and how the United States Government might respond the United States White House, State Dept, Treasury, and US-CERT have released information on and sanctions against the Russian government’s efforts to influence the United States elections. I offer all this without too much analysis given I’ve just seen it myself and expect it will take a long time to digest....

ASIDE: This post gets political. People may agree or disagree based on their own experience or personal belief. I accept that. I’m attempting to use evidence and analytical rigor to reach my conclusions while averting my own bias. If you think I missed the mark on those aspects (evidence or rigor) feel free to reach out to me. If you just disagree with my conclusions then I’d love to see a blog post exploring your own evidence and process....

One of the hardest things when starting a threat intelligence program is deciding where to start collection. This begins with an initial set of requirements and evolves from there. Everyone will give you a different opinion and insist on a different approach probably biased by their favorite collection sources. As for me I think the best approach is to start with the small things, the easy things, and build up from there....

Requirements. The first part of the intelligence cycle and the most neglected. According to the appendix of Joint Publication 2–0: Joint Intelligence intelligence requirement._ 1. Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence. 2. A requirement for intelligence to fill a gap in the command’s knowledge or understanding of the operational environment or threat forces._ Intelligence requirements (or just requirements) are key questions (as @cyint_dude calls them) that stakeholders (the CERT, leadership, etc) want the intelligence team to answer....

One of my favorite things is talking to students and people new to the security field. It feels like yesterday I was wandering around the first Shmoocon as a student in awe of the people I met and the work they were doing. Now I’m 10 years into my career and have a whole different perspective (though still in awe with those folks). Starting a career in infosec isn’t easy and while there are better general introductions I wanted to add my perspective on getting started in Digital Forensics and Incident Response (DFIR)....

I can’t talk about important intelligence concepts for security without talking about the grand daddy, the original: the Intelligence Cycle. This should be great discussion fodder for anyone who has to talk to someone who claims they’re selling some form of Threat Intelligence product, given in most cases they seem to be using the phrase in place of the word smart. Intelligence vs smart couldn’t be farther from the truth....

I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in. Monday June 15: 11:00 — Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP by Mr....

One of the most talked-about intelligence concepts in information security today is F3EAD. Standing for Find, Fix, Finish, Exploit, Analyze, and Disseminate, this is a methodology for combining operations (in this case we’re talking about kinetic ops) and the intelligence process. While the Intelligence Cycle & SANS IR cycle are both useful, they are ultimately academic. If the goal is Intelligence-Driven Incident Response, we need to combine intelligence with ops, and that’s where F3EAD shines....