8 minutes

Video Transcription

Hello. Welcome back to breaking stuff with Joe here on Cyber Eri on demand I as always in Europe on its host. And today this video is going to be about an amazing tool called threat Connect. If you've heard of threatening, you've probably heard of their paid offering their enterprise tool for threat, intelligence and information.
That's a great tool to fantastical. But that's not actually what we're talking about today.
Today we're gonna be working under Community Edition Threat Connect open. This is very, very solar to their enterprise tool. It has a lot of same functionality, but the key to isn't. It's focused around the community and is used for these large scale collaborative efforts where you're able to get access to threat intelligence from other members of the community around the world
and provide your own. We're gonna walk around, used a dash for it,
the different features of it and how you can use that in order to actually engage in your own threat intelligence and your own cybersecurity work. So stay tuned and let's learn about threat. Connect open.
So when you first load into your threat, connect dashboard when you first load of the Threat Connect website. You're going to see this dashboard and it's your default, My dashboard. It's a very simple, straightforward, easy to view kind of tool. We're gonna walk through this, You I for a little bit.
So first, over here, you can see the intelligence look up. So you've got a different different ways to search indicators of compromise
victim's victim assets, just all sorts of different pieces of threat intelligence that you could just quickly search through what resources you have. You have a recent history tab on the left side obviously not terribly important to us at this exact second, because I only have the one piece of history. This is a fresh account. Here we have the top sources by observation. So this is a pretty interesting little detail of just, you know,
what are the primary sources of threat of attacks of, you know, whatever
malware incidents, whatever might be happening, what are the top sources that have been observed over the last 30 days?
Next to that, you have this latest intelligence panel which has just published intelligence. Some of them are actually pretty straightforward. Incident reports, some of them as you can see here, a lot more of them are sort of properly built out articles. The one that I showed here, this playing cat and mouse is the top one currently showing
you can see here. It's got a technical analysis. It walks through the process that was done, has all sorts of details.
And you can see here that it's a very, you know,
well put together, polished sort of product that's easy to read and easy to work with. And one of the really cool things about direct connects Open community platform As you know, not to say anything bad about it's paid product because that's fantastic. One of the things that I really like about its open platform is that even without being using a paid product, you're getting access to all of this information. All this sort of
open up,
open source, you know, group community built threat intelligence to really, really need ability to communicate with all of these people and get the benefit of their work.
It's about your dashboard.
We can see again after those two tabs. We've got our top sources by part, false positives, so you can see. Of course, they're gonna be, you know, things like technical blog's on, and that's just gonna be pretty much always your number one false positive. Just because that's going toe have information about malware and that often will get triggered
for those of you who have ever, you know,
had your your firewall, your anti virus blocking. Callie, download. This is essentially the same kind of thing you've got top tags so different. You know what different areas of interest are being really talked about right now? Being fishing, malware Know a lot of these again. It probably gonna stay pretty much the same on top. But when you see major paradigmatic shifts
in the threat intelligence landscape, you'll see shifts there as well.
You've got your primary intelligence sources so you can see where all of this open information is coming from.
You can see your indicator breakdown, so this again is talking about the different types of threat indicators. So this is a really cool detail because this is useful for if you're if you're new to threat intelligence, your *** of cybersecurity, you can see a lot of information about sort of the field at a broad overview. That's kind of what your initial dashboard is good for
as its first. When you first log in with a new account, it's not very tailored information, you know, it's not hyper specific information.
It's pretty much just what the landscape that you're looking at might be. Now, if we look at a few other options were gonna speed through it just a little bit so that we don't run over time. If we look at, for example, the ocean toe, one of my absolute favorite tabs on one that I tend to have open on a street next to me.
So you've got all sorts of this is just all the open source intelligence that they have won all of it, but a brief sort of view of the best information they have. So you can see they've got voting system for people to say Yes, this is great intelligence or no, it's not particularly useful. They've got different adversaries and threats that you contract down here.
And this is one of the things that I really like about this tab and really about. This dashboard in general
is using it as sort of my prep for when I'm going to it might be a job interview. It might be a convention. It might be just some somewhere. I want to be able to talk intelligently about the threat landscape. This is a great, almost news resource, and that's one of the things you know again, you see over here before we were looking at
the different open, there's the different intelligence pieces. Here is just straightforward logs and reports being published.
I like to use this as sort of a news aggregator in a lot of ways, because that's really what open source intelligence is just the aggregation of information that's online.
Next tab over. You can see here we've got post so you can create your own posts. You have organized by your organization, the community's you're a part of, and then all of the different intelligence sources. Again, as kind of a news aggregator. That's where this is really useful.
You've got different playbooks. You can browse, so if you have a particular interest in, say,
registry key based indicators, you can quickly browse to that and see what they have available
on again. You could look and like I said before, this is a great prepped for job interviews or for, you know, we're trying to When you want to get a quick download of information, you can easily go here and see Oh, hey, This number one threat rating is for this registry key. You could see it's possibly left behind by vault seven malware. You've got status information. You've got a threat assessment
looks kind of like a credit score that hopefully not your credit score.
All sorts of information about you can quickly and easily navigate make use of.
And, of course, if you have something to give back to the community, part of being in a community is contributing to that community. So if you have something that you want to have registered, you can put it in. Here is it might be an indicator of compromise. It might be a new attack group. Might be victims. Whatever it might be, you can create your own
indicators in here will say, for example, host,
you can see who owns it. You can put it your own, though if you're a free account, you don't you don't get to own them so you can send it to the community, which you can see pretty much always has tons of indicators of it will be added the host name.
You can see what you're
You can see that it will, uh,
make periodic anonymous D. N s queries. Which is to say that it's going to try and identify. Okay, you gave us a host name. Let's figure out what I PS are regularly resolving to that host name in case the eyepiece changed. In case you know, they're bouncing from server to server. This is a great way of kind of keeping track of that host name and who's actually currently using it.
So there you have it. That's the threat. Connect, dashboard. In a nutshell. That's enough of the navigation information for you to kind of walk through and get a sense of how to use it. I highly, highly, highly recommend you take some time on your own and just really look at this tool and dig into it.
Get familiar with sort of the different components of it and spend some time figuring out how best to tune it to your interests in your needs.
As I said before, this is not the paid threat Connect product. Obviously, that's an enterprise product that people love and it's very commonly used. I love it myself. I use it. I have used it in different organizations of different jobs. But as they're open platform for the community, this is a great tool. And it's one that I highly recommend any new security practitioner
use as much as they possibly can, and to build sort of that bedrock of
threat, intelligence and threat modeling that you need in order to be able to really function in the modern cyber security environment. It's gonna be all there is for this video. Thank you all for watching. As always, I have been your host, Joe Perry, and you have been watching breaking stuff with.

How to Use Threat Connect (BSWJ)

In this video, we'll take a tour of the UI for the Threat Connect platform, see some of its different features, and discuss how best you can use it both personally and professionally to enable your Cybersecurity career.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc