A Cyber Threat Intelligence Self-Study Plan: Part 1
There are many ways to learn. While some people prefer to have a live instructor in a course, others are great at doing self-study. I teach SANS FOR578: Cyber Threat Intelligence, which is a great course if you want to learn about cyber threat intelligence (CTI), but I realize not everyone can afford it.
How to create and manage your CTI?
Does Your Incident Evidence Really Lead to Better Intelligence?
So I admit this post is not about security incident response in general (because I've written enough on that in the past), but about a link between incident response (IR) and threat intelligence (TI) in particular. We definitely talk about how TI helps us understand an ongoing incident.
About commercial CTI
A different cup of TI? The added value of commercial threat intelligence
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
Recommendations to conduct better analysis
Toolmarks and Intrusion Intelligence
Very often, DFIR and intel analysts alike don't appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with respect to attribution, as well as to the intrusion itself.
Curated reports and writeups
The DFIR Report
Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as ... Read More The threat actor logged in through RDP, attempted to run a Cobalt Strike Beacon, and then dumped memory using ProcDump and Mimikatz.
The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective.
STOMP 2 DIS: Brilliance in the (Visual) Basics
Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those we've initially observed in our FireEye product telemetry.
Nazar: A Lost Amulet - The Lost Reports
Acknowledgements : Special thanks to Silas Cutler for reversing guidance and to special friends (you know who you are) for visibility and insights. Accompanying talk presented on 04.22.2020 @ Virtual OPCDE #3 ( Video) Update #1 (04.22.2020) : Fixed some miscategorized hashes in the Appendix Update #2 (04.23.2020): Reversing of EYService by @malwarelabpl available here.
Advanced Persistent Threats and IOCs
- Collection of APTs
- IOCs from Sophos Labs
- Malicious Network traffic
- Malpedia Library
- Threat Groups cards
Known artefacts left by the attacker
MITRE ATT&CK ® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE ATT&CK® Map | TDM by SOC Prime
SOC Prime introduces the MITRE ATT&CK map to explore 50K+ items of detection content already mapped to the ATT&CK framework. Find your tailored content!
- This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network.
Tools for CTI activities
Open-Source Intelligence Summit 2021 - Shared Resources | SANS Institute
Digital Forensics and Incident Response, Cyber Defense Essentials, Industrial Control Systems Security, Purple Team, Blue Team Operations, Penetration Testing and Ethical Hacking, Cloud Security, Security Management, Legal, and Audit