What is Cyber Threat Intelligence?

Posted on By Adam McHugh No Comments on What is Cyber Threat Intelligence?

Intelligence is the enrichment of data or information, its classification and publication by experts within a field. The resultant output is ordinarily a qualitative assessment backed by quantitative metrics, or absolutes which formed part of the data or information it was derived from.

In terms of Cyber Threat Intelligence, this goes beyond the extraction of IOCs, strings, and the generation of cryptographic hashes, and fuzzy hashing – this is the correlation of events, actors, methods, and motives to generate Threat Intelligence which aims to describe the objectives, motives, capability and perhaps the identity of a threat actor.

Read More “What is Cyber Threat Intelligence?” »

Blog

Building a MISP Threat Feed Aggregator

Posted on By Adam McHugh 1 Comment on Building a MISP Threat Feed Aggregator

Over the last few months I have been working away on several work tasks which have had me hunting for threats within an immensely complex environment. Part of this hunt has involved the analysis and selection of threat feeds for incorporation into other tools to hunt known bad indicators. In this post I will be talking through the deployment of MISP to enable aggregation of threat indicators, and the generation of exports which may be ingested into other platforms.

Read More “Building a MISP Threat Feed Aggregator” »

Blog

TraceLabs Missing Persons 11th of April 2020

Posted on By Adam McHugh No Comments on TraceLabs Missing Persons 11th of April 2020

I have posted before on participating in other TraceLabs events (such as the Australian Federal Police Missing Persons Hackathon), so here goes a brief recounting of my experiences with a US missing persons event.

Read More “TraceLabs Missing Persons 11th of April 2020” »

Open-Source Intelligence

OSINT for Missing Persons (Part 1 – Intro)

Posted on By Adam McHugh 2 Comments on OSINT for Missing Persons (Part 1 – Intro)

Sometime ago I participated in an event run by TraceLabs in conjunction with the Australian Federal Police to locate pieces of information for missing persons across Australia. The twist on this event being it was gamified to allow competing teams to try and beat each other to amass the most amount of points according to a points award system.

I will now be competing in the Missing Persons CTF on the 11th of April 2020, and in the lead up to this now virtual CTF – I will be building some more capable infrastructure and tooling to support this challenge.

So for those new starters, what do you need as a bare minimum to start digging and submitting indicators?

Read More “OSINT for Missing Persons (Part 1 – Intro)” »

Open-Source Intelligence

Deploying (and using) TheHive4 [Part 1]

Posted on By Adam McHugh 1 Comment on Deploying (and using) TheHive4 [Part 1]

I have been an off and on user of TheHive for nearly a year now, and it is encouraging to see the development and release of TheHive4 (even if in pre-release). In this post I will walk through the deployment, configuration and migration of TheHive to TheHive4, and what improvements have been implemented into this release.

Read More “Deploying (and using) TheHive4 [Part 1]” »

Build

Threat hunting with Elasticsearch and Kibana (Part 1)

Posted on By Adam McHugh No Comments on Threat hunting with Elasticsearch and Kibana (Part 1)

As part of my final Masters degree research component I have been collecting data from honeypots which I have seeded around the globe. The objective being to distil this data in to organisational threat data based on a fictitious business.

Part of the complication I am going to start facing, is how to how Elasticsearch and Kibana to find specific information for me from this live data set.

Previously I have indicated that a data set exists which was produced by the Canadian Institute for Cybersecurity, called IDS 2018, which contains Windows Event Logs and PCAP files relating to a set of simulated attacks generated for the purposes of teaching people how to hunt within similar datasets.

Here I will be discussing the deployment, configuration and interaction with this data set to achieve the outcome required.

Read More “Threat hunting with Elasticsearch and Kibana (Part 1)” »

Digital Forensics & Incident Response, Security Operations, Threat Intelligence

OSINT for Threat Intelligence

Posted on By Adam McHugh No Comments on OSINT for Threat Intelligence

It seems to be a significant buzzword nowadays, but Threat Intelligence is available in an abundance from a wide range of curators and commercial suppliers.

So what does it take to correlate observables such as precursors to determine if they are an indicator of compromise, and by whom have they been generated?

Read More “OSINT for Threat Intelligence” »

Blog, Open-Source Intelligence

Loading Windows Event Logs to Elasticsearch

Posted on By Adam McHugh No Comments on Loading Windows Event Logs to Elasticsearch

So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer. My Kali laptop for my Christmas challenge was already…

Read More “Loading Windows Event Logs to Elasticsearch” »

Digital Forensics & Incident Response, Operate
%d bloggers like this: