BSides Iowa 2018: "Drug Dealing in IOC’s: a retrospective on threat intel & threat hunting..."

BSides Iowa 2018 - Track 1 Speaker: James Beal As a part of building up the new SOC at work and because it seemed like a great idea at the time, I started researching readily available threat intelligence sources and threat hunting tactics. This lead me to looking at both open source/free options and the many vendors out there with TI offerings. These can be either a source of data or tools themselves that offered to attempt to tame the firehose of “information” coming out on a daily basis from all over the net. I also started looking into using this data as a way of doing some threat hunting in our environment and any uses from a personal research perspective. I plan to discuss what I have seen so far, what works, what REALLY does not, and attempt a discussion about where we should go into the future with these tools. At this point, after almost a year and a half, it feels like beyond a few great examples, we are still in the initial stages of this research. The overall industry is “drug dealing in Indicators Of Compromise” instead of looking at overall behaviors, tactics and techniques of the attacker community.