USMC Veteran – 2651 Secure Comms/Intel SysAdmin
+14 Years in Information Technology/Security
Specialties:
• Incident Response/Forensics
• Threat Intelligence
• Offensive Security
$dayjob = Senior Malware & Threat Intel Analyst
$sidejob = AdroitSec LLC – Principal/Consultant
Or…
“Details of the motivations, intent, and capabilities
of internal and external threat actors. Threat
intelligence includes specifics on the tactics,
techniques, and procedures of these adversaries.
Threat intelligence's primary purpose is to inform business
decisions regarding the risks and implications associated
with threats.”
- Forrester
IOCs
Feeds
Etc.
.
Feeds
IOCs
Etc.
Analysis
Prevention
Detection
Attack
Vector
Malware
Analysis
Incident Response
Course of Action
Asset Tracking
Mitigating
Controls
Open
Source
Analysis
Email
Analysis
Executive
Briefs
Analyst
Data
Correlation
SIEM
Attacker
TTPs
H/T: ThreatConnect
Protocol
Analysis
Shared
Threat
Intelligence
Threat Intel could be it’s own “Program”
Detection
& Response
OSINT
Network
Firewall
IPS/IDS
Threat
Research
External
Intelligence
Services
Web Gateway
Threat
Intel
Program
SIEM
HIDs/HIPs
Anti-Virus
DLP
ISACs
Governance /
Resistance
Endpoint
Realize that threat TI is 80% internal 20% external
(relative to your business)
May not be a “technical” application
"A shiny threat intel capability without a
mature IR capability is like putting a big ole
fancy spoiler on a stock 4 cyl Dodge Neon.“
- @mattnels
Ops
•Policy
•Risk Management
•Security program design
•Compliance Reporting
•Audit
•Analysis
•Verification
•Containment
•Remediation
•CSIRT
Plan
Resist
IR
Detect
IR
•Security reviews
•Identity mgmt
•Security design/reqs
•Vuln Mgmt
•Security Operations
•Visibility
•SIEM/Logs
•Network
•Hosts
•Threat Intel
Threat Intelligence
Consumption
Threat & Environment
Manipulation
Asset Classification and
Security Monitoring
Incident Response
Source: RecordedFuture.com – Robert Lee
Logs
Focal points:
•
•
•
•
Logs
Network
Endpoint
Threat Intel
Network
Endpoint
Threat Intel
Threat
Intel
Recon
Network
Weaponization
Threat
Intel
Delivery
Exploitation
Logs
Endpoint
C2
Exfiltration
Threat
Intel
Scope, Relevancy, Context, Breadth, Capabilities