Bootstrapping Threat Intelligence Out of Thin Air

So my name is Grax, and so I've been doing a lot of research lately in the threat intelligence, and I wouldn't call it like really heavy duty threat intel stuff. It's more or less just going out there and finding what all the offerings are and really trying to determine is it worth it, you know, look at art. is all the threat info stuff that we're buying out there. Is it worth it? And then the second big question is if the data's good, is it relevant to us? But one of the things that I really see is that probably a lot of data may not be that useful. And that data that is really useful to us is stuff that can only be generated

inside the organization. So the point of this talk is to give a little intro and what threat intel is, but then to also give you a framework that you could maybe implement some of the things in your organization so that you could start generating threat intelligence that is relevant to you.

So typical disclaimer, so they're my own and they don't express the views of my employers or whatever, blah, blah, blah. So just a little bit about me, I've been in industry for about 20 years, probably about 17 years now. I've been in information security, I've done a lot of things. The past few years I've been more within an operational environment, either working in SOCs or working with them. But I started out doing web security way back when. Got into security engineering for, you know, that seemed like the, at the time, that seemed like the best career path. So, ended up getting into FISMA, did a lot of proposals and stuff. After a number of years, really figured out that I was sort of missing doing

some hands-on stuff. So the past few years, been really trying to take a step back. really not worry about becoming a CEO of a company, but more or less focusing on my passion is just doing hands-on stuff and trying to solve problems. So really just kind of step back into that sort of a role. So the past few years I've been doing trade studies where we've been getting new vendor products in, and say we can do X, Y, Z, setting it up, doing bake-offs, seeing what works, what doesn't work. And like I said, the past few years I've been in a SOC environment and on and off doing some IIT security training. So just started a new

job where at least for the next year we'll be developing and doing training on probably about 20 different security tools. So this is a website that I run, Nova, eposf.com. So I just like to plug it.

looking at doing some consulting on the side. So if you see something in here that you like, you think I could be of service, please let me know. So the agenda of what we're gonna talk about, just a little bit of background of Threat Intel, how I came to this, looking at what Threat Intelligence is, looking at a data management platform,

all this data in this system, how can you analyze it so that you can find the threats that are relevant to you? And lastly, some future play stuff. Right, so background. Overall, I really found that a lot of big organizations, and even middle and small organizations, have a tendency to overcomplicate. I've really been, I've had the philosophy of, you know, keep it simple, stupid, So they want to do Threat Intel, so if they go out and say, oh, you've got to buy this big Threat Intel system that is a billion dollars, we'll set this up, and there's reoccurring fees with it, and here you pay this fee for the fee that's coming in. Like, are you really getting use out of that?

But you have a tendency, to really take a simple mean and turn it into this big thing that we're complicated. Maybe we try to build a system that does that instead, and it just turns into a mess, because you define what the requirements are for the system that you want. But then, because of all the bureaucracy, it takes five years to get the system built, right? Well, the requirements have changed dramatically, so the system's useless in knowing who uses it. It's just taking a more agile philosophy, using tools that you already have to start out, understand what your requirements are. But it's really important to start out simple, take small steps first. So a good example

is this, like, workload system, a hiring workflow system. So like, on most government contracts, you can get onboarded onto the program.

So they were like, oh, we need to build a workflow for this. So we're going to go, yeah, sure, we'll build a workflow for it. So they went in, they built this huge thing, built some intermediate systems, and everyone was like, yeah, this kind of meets our needs. It doesn't do this, it doesn't do that. It kind of really restricts how they can use it. And so they built this huge system, and no one ever used it. And it ended up like they still didn't have a usable workflow system after they built all this, after all of the, they spent this time and energy in it. And so kind of that's the philosophy here is, hey, let's just jumpstart, use something that we have

now. And we have this spare old box sitting in the corner that's like spin that up to open source software on it. start collecting and build our stuff that way. And the other thing is, you know, build, or at least try to, before you buy, add in, you know, a huge enterprise scale. You're eventually obviously going to have to buy something that can scale up to that. But there's a lot you can do, at least initially, just in-house,

And one of the cool things about this is it helps you understand your requirements more. So by building it inside, that may not end up being your ultimate solution. However, it does at least help you understand what your needs are. And once you understand what your true needs are, you can go out and select a vendor partner that can help you meet those needs. But everybody just skips. like, hey, Threat Intel is a big thing now. Or, hey, we've got to buy this box for a bazillion dollars, we've got to buy this feed, it's going to be incorporated, and analysts are going to get alerts. Meanwhile, they're not even, like, everybody has admin access on other boxes. They're not doing the

basics first. And really the whole point here is to try a quick and dirty solution in-house first. Now it may only get you 60% of the way there, but who cares if it's like 60% more than anything you have right now. So use the tools that you already have and that you're familiar with. I mean that was sort of the failure of the onboarding system. Instead of using the tools that they already had, there's this whole new system, right? and no one was really familiar with it. So maybe they built a system that wasn't usable and no one knew how to use it. But really, if you just have a kind of a basic technology that can store the stuff that you need, then secondly, the

processes to how to use that, train people to use it and continually evolve it to meet

So instead of having this very rigid structure, try to have something loose and flexible. But I mean the most important part is having the smart people that are building and maintaining those systems and creating the processes. And the people that are following this process, getting feedback, like having the feedback loop so you can continually improve it. In the end, maybe that will solve your needs. Else, at least at this point, like I said earlier, you understand what your true requirements are, and that really helps you go whenever you step outside to select a commercial partner. At least you're in a much better position, because you understand your network, you understand the process, you understand where all your Artifacts are that

you collect and pull together. People think like, oh, when you thread Intel, they're like, yeah, just buy this box and they'll set it here. Man, we're good to thread Intel. We're good to go, right? That's not how it works.

So just a little bit of background. So at least where this all started for me was back in the day, I was doing security dashboards. So I started out just doing a basic dashboard. I just took the risk equation. You know, risk is threat times vulnerability times impact, right? So basically, was able to go out using some of the tools that we have, get, you know, see what our patch level is, read some of the vendor threat reports that are being put out. And based on that, you could calculate this sort of risk that they could use. So I did that, and I found a lot of interesting resources, which kind of forms the foundation of how this

is relevant to the threat of the IntelliFot. But after I left that job, I really liked having the interface of just knowing what's going on. So I went with Google Reader, and I kind of took those same feeds that I found useful. put them into Google Reader. And that was really cool because you could group them. And then you could actually take that group and display it on iGoogle, if you remember that. So you could have this, hey, this is, so I could have like one box of, yeah, this is my thread box that I could just look at, right? This is my vulnerability box. Just basically keep up to date with what's going on. Unfortunately, all that went away because Google sucks, right? And

so I ended up looking for some alternatives. There's Feedly, I've never to that, but it was more like a, I don't know, just more of an RSS reader and like you couldn't get it at the time. It didn't really have a dashboard view. Then I finally ended up using a system, which is what I'm using today, called NetVibes. So basically like create tabs and you add feeds to it and blocks and stuff. So that's what I, I mean, that's basically what it looks like. I can go over to my cyber detail tab and see what's going on, right? So another contributing factor to this is really understanding the data structure. So if you're through the dashboarding, I kind of picked up where some good feeds

are. But how could I store it? Because a lot of those things are open source feeds. And they're just coming really fast, right? And having that up on a dashboard, IP's flying by, really doesn't help me. So I was like, well, I need a platform. You know, something I can put those in. And so some of you may have seen it. I've been doing this kind of using Evernote as your thread, you call it a repository thing. So I've been doing that, but a lot of that was based on, this methodology for getting things done. There was an implementation of that using Evernote, and it was called the secret weapon. So essentially, and I used to do some database stuff back in the day, but

essentially what we were doing is, you know, treat Evernote or whatever your platform is, like a big database, you know, a notebook is essentially a table, and the note is kind of just a free form of the record. And then you could nest the notebook so that it's kind of separate from your other Evernote stuff. And then they had this neat system where it was kind of a who, what, when, where. And so they had kind of a special way of marking reserved words. So for tags, so you know, what that's essentially projects, when is important, is it something, one, I'm gonna do today, or is it six, something that I'm gonna do way out in the future?

Where you would do it, oh, this is a task, I've got a new home, you gotta go do it at work, and then also who it's related to. But what this got me thinking about, though, is this is a basic structure for,

Like if you just have any data management platform, this basically is giving you a nice structure. How to think of it is giving you that repository that you can put information into. One of the big things though is search. So being able to go through and search and find stuff, so that's another thing that you're gonna be looking for as well. Of course, Evernote has a cool search feature. You can search my notebook, my tag, my keyword. You can combine them in various ways, has safe searches, so you can use that for, like I said as an example, came up with a theory that, hey, I can build a case management system, basically in Evernote. You can use safe searches to basically have quick access to

the stuff that you need. All right, so, silos of threat, excellent. So now just a little bit of detail on what Threat Intel is. So over the past few years, the Threat Intel market has been growing, so as I noted, I've been investigating this. You know, I consulted a lot of experts, seen some of it, talked to a lot of people that subscribe to all these feeds, get their experiences too. And you know, the basic tape, The basic takeaway here is that it is just, like from a math perspective, they're just doing some very cool stuff. It's just so cool. Hey, we have this IP, and then there's all these attributes associated with the IP, and mathematically we can use those

attributes that this has a high likelihood or a low likelihood of being a true threat or whatever. Just really cool stuff. But, you know, the big, I was talking to, most people know DA, right? Anybody know him? Okay, one person. Maybe I shouldn't attribute this. Excuse the pun, right? Maybe, I mean, it wasn't. This is just something that I thought of, right? So if it said that if you follow, like, a good set of people on Twitter, you know, like, P, you get more threat detail. out of that and all these big services. But the question is, why? And the other thing too is there's a lot of open source threat intel that's out there and it's sold, it costs a lot. But my

question is, whenever I ask anybody about it, is threat intel helping you crush the bad guy? And it's like, it's nothing.

So, you know, like the question is why? So, if anybody's, David Bianco, he came up with the pyramid of pain. And so this is what they're, like, I think it really comes down to, you know, we have a misdefinition of what threat detail is. So we have some basic stuff, like hash values, some easy stuff, like IP addresses, domain names, those are kind of easy stuff. And essentially that's what you're buying. You network those artifacts, tools that are being used to generate payloads, to do obfuscation. And then the really hard stuff are TTPs. And so that's really understanding, kind of like what's the,

Did anybody see the movie The Silent Stuck the Lambs way back in the day? What's the technique that they profiling, right? You remember that term? So they had this guy that goes in, and it's actually kind of like, there's some family connections, like I actually know that guy, but so who wrote the book, but he actually, and he came up with, yeah, I'm gonna sit down with this guy, or I'm gonna go to this scene, and I'm gonna look at how things are laid out, and how it was done, and I can profile. Like, well, the person that did this, you know, and he comes up with this whole narrative of the story. And essentially, that's what we're kinda doing. So we're looking at scene of

the crime, you know, our owned boxes, and we're trying to figure out, you know, based on doing that, all that analysis, you know, Like, what type of adversary is hitting us? What are their capabilities? What types of tools do they use? What does their infrastructure look like? Do they change infrastructure a lot, a little, right? I mean, and we don't see that. Like, whenever you buy a threat, you tell. You don't see that. I mean, there's some vendors out there, right, and they do some good stuff, right? And then the question comes down to is they'll come up with this whole profile, right? but is it relevant to me, to your org? In most cases, probably not.

So what I like to do is kind of separate things out. So a lot of people are selling threat intel, but I mean, no you're not. You're not selling intel. You sell data, right? Maybe it's enriched some, right? It's not intelligence, which would really be focused just on the top tier DTPs. So the question is, how do you get there, right? So this is how, Rod Lee put this article out a few years ago, Introduction to CyberArmorning. He has about, I think there are six or eight articles in that series. So if you go out and search for this name, you can definitely read the whole series. One of the references that he does is, well, we need to define what intelligence is first. So

he comes from a military slash government background, and so he referenced, there's some federal or military document that he references, and I forget what the name of it is, but it actually goes through, it's one of these thick books, and it describes what intelligence is and how it's created. It takes a long time to create. It isn't like, hey, that IP, this IP is hitting my honeypot, so I'm gonna add it to this threat, the Intel feed list, right? Like that's not intelligence, that's just an IP that seems to be attacking this box. You have to go through this whole long process. It could take weeks or months to take some of this basic stuff that we see here, that we may see on our network.

And doing analysis on that, going through this really long, very labor intensive process to come out with intelligence, which really tells us what the TTPs are. And that's what intelligence is. But how is this relevant, right? So you can go through this whole process, and you can You can get something and you can be, oh, we have adversary XYZ and they're attacking these five customers, right? These five banks. I'm like, I'm a, I don't wanna say Target, but we're Home Depot. I'm just a medium sized company selling widgets, right? buying this intel feed, you're telling me about the stuff that's hitting all these big banks. It isn't relevant to me. So the way I like to show this is we have our body of threat data,

intel, whatever you want to call it. So when you're a company and you go out and buy it, this is your organization's intelligence needs.

Maybe there's a little overlap there. So you're basically paying for this big blob, but you're just maybe a tiny bit that is relevant. What you really want is, hey, I'm going to buy this Intel, and all of it's relevant to my company, right?

But how can you do that, right? You have to take it in-house. You cannot outsource threats.

You can outsource it in the terms of hiring consultants or whatever, or you can hire folks that basically work with you forever, right? But still, you gotta take it in-house, because you gotta understand your network, you gotta understand where sensitive stuff is, where the main stuff that you don't care as much as about.

So the big question is how do we get started, right? So first, maybe you can go out and look for information that's already out there that you can bring in, right? So you can go through open source Intel. So there's lots of stuff out there that you may want to pull in. There's information sharing groups. Probably still a lot of that's not going to be relevant to you. But it may be interesting. Maybe it's something that you see internally, and you pivot off of something that you see internally, and you can go to maybe an open source resource or an information sharing forum. But it's still going to start internally, and you're going to pivot out to other resources to see what other people are

doing or if other people are recording this.

Log collection, really, logs are huge. So essentially having a logger type pool and then having a SIM too. So there's a lot of data that you can mine in all the logs in your SIM. And I'm not talking about like the alerts that pop up, right? Like I'm really talking about taking a step back and looking at taking a higher view of the data that's in your sim to really maybe see some long-term trends. I mean, the guys that are using the sim date today are just really focused on, hey, there's an alert, we do a quick investigation, you know, it's false positive or it's something you take further. But what you really want is maybe your senior analyst or maybe a whole separate team that is looking

at everything that's in the SIM, stuff that's being tracked in your case tracking system, and really trying to look at the big picture, look at all the data that you have, your logs, your SIM, your case tracking, and then seeing if you can see trends, and then maybe you too,

So I talked a lot about some things here, but the question is how are we going to do this? So, you need a data management platform.

So basically, I've gone through about five or six different types of data that you want to collect. And so basically, kind of like what we did with Evernote, where a notebook was a table, right? So kind of the same philosophy, where in a database system, or maybe you're using SharePoint, or whatever, like Elasticsearch, or whatever, whatever your system is, maybe you're using Evernote, maybe you're using Word documents in a shared file directory, maybe you're using a wiki, whatever. Just being able to use what you have and parse it out into the components that you want. So you can define tables for each one of those different data types. And there's definitely gonna be a title for

it, essentially. And you're gonna have the data data, but I think most of it is really just going to be this free form text field that you can put stuff in. Maybe you can go edit it, mark stuff up, like if you want to add comments or whatever. You can add additional tags. So, incorporating tagging, so come up, like I did with the Evernote stuff, you know, come up with some reserved tags that are important. And those could be some, like maybe you'll have a title, data, column, you'll have a tag column, and you'll have this free text form, right? Essentially what you have there. And it's just really flexible, being able to adjust that, and as things

change, you don't have to spend three months trying to add a new field to it. You can just loosely add it to it. But the big thing, especially when you're dealing with the adversaries that are advanced is flexibility and being able to react very quickly and not get held up with your bureaucracy or I want to make this change in our ticketing system, but it's this huge thing and it takes, like I said, three months to incorporate this change. Well, guess what? By the time you made that change, the adversary that moved on to a new technique to that change was just sort of But essentially, the way I like to think of it is I want a big bucket, and I don't care what it

is, just dump it in there. Because as long as there's a good search functionality and I have a basic tagging structure, that's everything that I'm really looking for so that I can do that in my analysis. So some solutions. Obviously, I talked about using Evernote. I recently transitioned off that because one of the disadvantages that I see is EverNote, once you reach a certain size, it really starts to get slow. And it makes it, EverNote itself pretty unusable. But it was a cool experiment, and some of the data I'm still feeding in. It's just some of the very, there's some feeds that are just spitting out too much, so I had to turn those off and kind of clear it out. You could take any log management

solutions like Elasticsearch essentially, or excuse me, Elkstack, right? I kind of played with that. Obviously Splunk. The thing that I think everybody loves about Splunk is essentially it's that big bucket that I can just dump stuff into it. I may use it, I may not, I'm just gonna dump stuff. into it, because I know I can search through it and find it. Great for doing analysis, and to a certain degree, I haven't played with it too much, but the Elk staff is kind of like that too. So I know a lot of people that are kind of, hey, do we go with Splunk, or do we go, because I can start doing this Elk staff thing, and as long as I have to maintain an

in-house team that's gonna continue to work, you want that versus spending money on using a tool like Spot. But it's up to you, whatever your organization wants to do. Obviously, you can use SIMs to collect all this data. Good example with RURG, you can go out, expensive, right? You can get logger and throw all this stuff in there. Then you get the SIM part of it, so where you do core, palation, So that's definitely a solution there. Or you could go open source, right? So there's the awesome by AlienVault, and there's a whole bunch of tools associated with that. You might want to check that out. But there's some other commercial things that you want to do. So then the others are, I'm just doing an

open source wiki, right? Pretty basic. You can even maybe use a WordPress blog, you know, because essentially each entry could represent a piece of data. SharePoint, we love to hate SharePoint, right? But it's already there, usually. And it supports basically, you know, I mean, there's all sorts of building workflows that you can just pick up and just start using SharePoint in a different way. Instead of just using it to do document management, you can use it to maybe start tracking cases, start dumping logs into it, whatever you want. And the other thing that I talked about was, hey, let's have a share drive, right? Each case we look at, or maybe we do a log

dump or whatever, we just throw everything into text files or Word documents, and we just throw them into the share drive. in a structured way, and we can search that. Because that's the big thing is having all the data in one place so that we can search through it efficiently.

So this goes into the, just doing a little bit of OSINT stuff.

So like what I did with the Evernote where I took all these RSS feeds and sites that published text files and blacklists and stuff. I kind of took those on a regular basis, they would all get fed into Evernote or whatever your source is. And so that kind of gave me, like if I saw something hit my network, I could maybe look at, hey, there's this IP in my intelligence data thing do I see that here? And if so, where did it come from? And you can pivot off that, because one of the things that I like to do is I'll put kind of news feeds in there too, so I can be like, hey, this IP was seen here, and then

I can look at maybe what the news was going on around that time, and maybe I can learn something about what was going on.

So this is just a quick slide that shows some basic feeds that you may want to subscribe to. So I like to break things down into vulnerability and threat. But just some good RSS feeds you might want to subscribe to. There's a bunch of these that are being pushed to Twitter, too. And some other RSS feeds. And like I said, I like to subscribe to kind of news newsy type sites too, just so that I can go back and I have a certain period, I can look at what was going on around that time. Did a vendor put out like a big report then and maybe that's related to this IP that I see. So the question is, is how do you

get all this data into your system? Right, so you, I mean some of it's gonna be manual, but And this is just talking about Evernote here, you can email into it. But you could essentially set that up with any data management platform that you have. You could use, at least what I have been doing is I use if this then that to suck in those RSS feeds and create notes for it. But you could do the same thing on any platform. Same thing with Twitter, you can push tweets into the system. Email integration. And then lastly, scripts. So there was, you just write like Python scripts or Bash shell scripts to go out and check this site. If something's changed, you know, suck

that back down as a new source that I'm gonna save off and look at later. So this is just a little walkthrough of if then, is that, if then, if this, then not. And we basically have recipe title, and here I'm just adding this SSH group. User name, Twitter ID, to tweet out interesting things, threat related. So user to watch, I give it the title, the body, and then A, I'm gonna go into the notebook, and then I have special tags or whatever. Symbols, E4N, it's just the syntax that I chose to kind of have these that represent tags. It's pretty simple, and you can just shove that. You do something similar, there's just scripts and stuff, put them in whatever system

you want to. And this is one script that Mir M, I was on the Nova Hackers list a while back, and I was like, hey, I wanna check this blacklist site every once in a while. And if something's changed, I wanna download it, So he wrote into Evernote. But if something has it, just leave it. So he wrote a basic script and then I spent some time trying to customize it to work exactly how I wanted. So you could write scripts to do things. So beyond OSN, what other types of inputs would be going into your bucket here? So information sharing stuff.

depending on the industry that you're in, like maybe you're part of the financial ISAC or whatever, or maybe you're part of the DIV. So that's additional stuff that, instead of just having that stuff come in, just dump it into your data management platform. And some other ones too, so we talked about log collection. You're really getting some of those important logs And I'm talking about things like proxy logs. You don't have to do all logs, just pick the important logs that are gonna help you get what you need to. So put all that in there. And then the other input that you're gonna have is a sim, right? So you're gonna have some sort of a system that alerts

come up and you do analysis. And then being able to,

And then you come to the analysis portion where you want to do case tracking.

Basically looking through all the data you have with stuff from your SIN that comes in, basically going through and trying to have a basic case tracking system built into this. Essentially, you're just gonna have a table that's gonna be a case tracking table, and you're gonna have tags for the state. Is it open? Is it working? Is it closed? And then, for each case, you just have this retext field, and really write out what your analysis is and what you've found. Because all that's searchable, so it makes it easier to go back.

So if the same attacker keeps on hitting you, you can see that repetition. So some other things that may come out of your analysis are an indicator database, maybe an adversary database. These could all represent tables. And as you, you know, taking all these inputs, doing some analysis, you know, and really trying to filter out these data to different

different tables in this case, and having a tagging structure so that you can cross-reference them. So how to find everything that you threw in. Obviously, you can do whatever structure you have, but the big thing is search. Being able, whatever your data platform solution is. If it doesn't have free text searching, it's kind of useless, right? That's the best way to find stuff. But you can also search on free tags, on tags. The more type of Boolean support that it has, the better.

So a good example is maybe you go in and this IP's hitting you, so you could go in and search, hey, has this IP, have we seen this in other cases, have we seen this in internet, in from open source, in Intel, other partners, shared this with us. So maybe you'll find a piece of an entry that says, hey, this IP was recorded three months ago. So then you can run a secondary search around that time frame and see what else was going on during that time. And just really getting an understanding of any similar happenings that were going on.

So the analytics part, which kind of gets into what we were talking about the last part there. So over time, so I took basically what I learned in doing this Evernote project. It basically came up with a basic framework of,

so on the left hand side, these are essentially our tables.

And then you have different sets of tags for the data type, maybe like workflow state, maybe a source or a priority confidence. So this is flexible. This is just a structure that I put together to start out with. But in some cases, maybe when's not in the same way, or maybe it is. If it is, hey, I can just start using that pattern there. It's pretty simple. But basically having all this data available to you in whatever platform you choose. And then these are the analysis side of it. So your case tracking, your indicator database, and your adversary. And one of the things is I kind of, these ones here, kind of use those, is because tentatively you can use those during cross reference. So you could be,

so say I'm doing this case here, and I find a piece of data in this database here that it's associated with. Well, I can use that, just tag it.

So basically I can do like one search. Hey, show me everything dealing with this case, all the pieces of this. One search brings it all together. Same thing with indicator database. And then where it starts to get interesting is maybe like with an adversary. So you know and you say, hey, show me all the cases associated with this adversary. Show me the indicators that this adversary uses. And then you go back to that pyramid of pain thing. You start putting together the data. and understanding the adversary attacking your infrastructure.

Alright, so you get into the cyber kill chain and some of the other models, but essentially what you can do is you can associate, and at least The group that I was in, we used indicators as our piece of data that drove stuff. So whenever we would have an indicator, we would come out and say, all right, this indicator is associated with the delivery phase or the installation phase. And then you do that time and time again. And for each case, you would actually do your analysis. analysis and say, hey, these are the indicators associated with it and these are the fake phases. And so what that would allow you to do is essentially take a step back, look across

all your cases, and be able to see attacks that are similar. And then based on that, you can develop your TTPs.

I'm kind of bought into that theory. There's another one called the diamond model. It's kind of essentially the same thing, but it basically gives you a static structure. So for every, like this is one attack here essentially. And you're documenting things about that attack in a standard way. So now what you can do is you can put out all your diamonds and look across everything and see the commonalities and say, oh, well look, these three attacks look like the same, this one just looks like a one-off, these look here, and then you can start, then you can go back and say, all right, well these three guys look the same, but we're missing these pieces of data associated with that. So maybe you would go and research that

and see if you could fill those gaps. understand what those TTPs are. So just two models that you can use for doing that.

So, and this is something that I was trying to come up with a picture to show this, but essentially you have your data platform here. And you basically need to get it all in there. So you have your OS in, These are all your inputs here, your information sharing, your log collection, your sim, right? Then there's data that your analysts are generating, like your case tracking. From that, you're getting some derivative indicators, and those are being recorded. And then maybe you have another database or another table as well, and maybe you want to another way that you could break it out would be like campaigns. So you can do that too. And then by matching indicators together using one of the models that I talked about on the

previous slide, you can basically learn about the adversary, what their TTPs are. So you go through this whole process and what you get out is relevant to the threat in tone. So,

Basically what I want to, going this slide, I haven't had time to update it, but what I really want to do is use something like I want to build a platform. So if anyone has any expertise with doing an Elk stack or whatever, I definitely want to take some of these philosophies together and build an open source ISO or distribution that you got nothing, you could essentially have basically what I'm talking about here, basically spin it out as a VM. And it may be the processes and procedures for how to use it so that anyone could just spin this capability up. Or at least use it as something that they could base their solution off of.

Yeah, there's a, you know, I think kind of getting back to one of the points, obviously something like this might not scale if you're in a huge enterprise, but it's a place to start and it helps you understand what your requirements are, what your true needs are. Maybe in the end, what you end up building yourself is good enough. Maybe it's not. So when you go out shopping for tools or thread feeds, you at least know the gaps that you have and can make more relevant or you can spend your money more wisely buying the stuff that you truly need versus what the vendor tells you what you need.

So I just want to thank East Sides Delaware, as always, for having me.

great conference. I think I've been to almost everyone. I think I may have missed one, so I just want to thank you all for having me once again. You can reach me on Twitter at Grex. The website is novainfasec.com. If you want to contact me, that's just a form that you can invite. But really, it's just grex at novainfasec.com if you want to email me. But with that, are there any questions?