My name is Dean Pompey Leo,
otherwise known as polymath.
I'd like to welcome you to the Advanced Cyber Threat Intelligence Course.
Some of you may recall that I produced a introduction to Cyber Threat Intelligence back in early 2017.
Now, if you haven't watched the introductory course, I urge you to stop watching this course and go wash the introductory course.
That's important because there are several concepts and principles that were described and detailed in that course that helped build on the information and knowledge that you need in order to tackle the advanced course. We're going to live in more detail in some of these topics
and look at some different tools and such. And it's better to have that background foundation already in place.
I hope you'll enjoy this Advanced Cyber Threat Intelligence course or C T. I.
We're going to cover quite a, uh,
a few different topics, and we'll look at some different online resource is tools websites
and give the practitioner a better understanding of how to integrate this capability within their organization or, if it's already there, how to improve upon
the existing infrastructure.
So the first model that won't get into as the cyber threat.
Intelligence maturity. Mom,
you can see this has five levels starting at zero, where you don't know what you're doing yet moving up to level one. We've got some experience and you've got a little bit of information to work with.
Then getting to level two or the capacity for cyber threat intelligence will be expected to expand.
And this is something that should be anticipated and and a managed by the by the analyst.
Because as the organization begins to
reap the benefit of increased monitoring and improved incident response,
getting better threat feeds and so on,
inevitably there will be areas of the organization that would, uh
that would require this kind of interaction that may not already be getting getting that benefit.
Once the program exists at Level three,
then the organization is probably staffed all of the appropriate roles
and the responsibilities have been well defined. That the analysts can
understand their job functions very well.
perhaps the reporting structure is already well established,
and other pieces of infrastructure have been integrated well enough with C t. I so that you could move to the last step, which is when the program becomes stable.
When it's stable, then that means everybody's doing their jobs and you're getting repeatable results
with actionable intelligence that the organization can then consume and make the appropriate actions. The next module deals with campaigns as they relate to open source threat intelligence.
So we'll spend some time describing what it means to do. Pivoting in a general concept, it can be done in lots of different ways, pivoting off a domain name, pivoting off a piece of malware,
pivoting off a compromise system. These are all different,
uh, characteristics of the pivoting concept.
Also, look a little bit at what your adversary infrastructure might might look like
and how you can learn appropriate details
in order to better defend against
various forms of attack.
Well, look a little bit of virus total
and other aspects of Mao, whereas relates to
open source intelligence.
There's a lot of great resource is available, many of them are free,
and this could certainly help the analyst
be able to better understand how they're being affected by malware that's in the wild, so to speak.
We'll spend a little bit of time also
on the visual ization of the data that's being gathered.
Anything from using something simple, like a spreadsheet,
orm or advanced tools, which we covered in the introductory course, such as Multi Go.
So we will revisit Multi Go and see some of its capabilities as relates to visualization,
will dive into the concept of campaigns.
How do you describe the campaign? What characteristics doesn't have
the tactics, techniques and procedures of your adversary should be understood. We'll get into why that's important as well. Even the naming of a campaign and proper documentation.
We'll see how that's important, because that information may need to be searchable at a later date, and you want to be able to
use descriptive terminology that is consistent within your organization.
large scale effort, there will inevitably be some sort of metrics involved.
The metrics can provide great information to people higher up on the chain, the decision makers
trying to give them an understanding of whether or not the effort is being effective. If the money
the funds have been expended for the C. T. I program, are they
well spent? Are they getting, you know, some expected benefit from that
and we'll talk a little bit about the heat maps as another tool to
convey this information. And they easily understood manner.
That's module deals with sharing the threat intelligence information
in the context of operations.
This deal's also with where the information is stored.
Several different vendors
have their online product sweets,
and the information may be stored with them and be stored with the customer. That could be a balance of those two capabilities as well.
So how do you manage those storage requirements?
Not only in terms of capacity, but in terms of access controls and
protecting confidentiality with encryption and so on
that will move on to tactical sharing,
which in a nutshell, is describing who needs the information and what is their need to know what is their right to know.
I understand the balance between producers of Intel and the consumers of Intel.
We'll get into AA Jara a little bit
as well as some other technologies and methodologies. A little bit later,
Uh, within the sharing of information within your over operations,
we can also think about who is the organization partner with, who are they collaborating with
I was the government put potentially involved
Or maybe you already working for the government and you're trying Thio better understand
the protocols of methodologies that are expected to be in use.
We'll get a little bit into side box sticks and taxi. I'll talk more about what that is later,
and that gives a better overall feel for
some of the sharing concepts.