A Study on Threat Intelligence Platforms (TIPs)

ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.

The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.

The project came as an acknowledgment of the increasing demand for relevant and ‘context aware’ security data, as information security management is becoming a key component of any modern organisation.

For the purpose of this project, ENISA has engaged leading field experts and has performed a research of existing tools, practices and TIPs academic literature. The report concludes with a series of actionable findings and recommendations, so that current TIPs limitations are addressed and overcome.

Continue reading “A Study on Threat Intelligence Platforms (TIPs)” →

CrySyS Lab Analysis on NSA’s Territorial Dispute

CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.

See below some interesting points related to the analysis done by CrySyS Lab:

Continue reading “CrySyS Lab Analysis on NSA’s Territorial Dispute” →

TIPs: An Exploratory Study of Software Vendors and Research Perspectives

I recently came across an interesting research paper from University of Innsbruck. The title of the parer is “Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives“.

According to the abstract of the paper: “In the last couple of years, organizations have demonstrated an increased willingness to exchange information and knowledge regarding vulnerabilities, threats, incidents and mitigation strategies in order to collectively protect against today’s sophisticated cyber attacks. As a reaction to this trend, software vendors started to create offerings that facilitate this exchange and appear under the umbrella term “Threat Intelligence Sharing Platforms”. To which extent these platforms provide the needed means for exchange and information sharing remains unclear as they lack a common definition, innovation in this area is mostly driven by vendors and empirical research is rare. To close this gap, we examine the state-of-the-art software vendor landscape of these platforms, identify gaps and present arising research perspectives. Therefore, we conducted a systematic study of 22 threat intelligence sharing platforms and compared them. We derived 8 key findings and discuss how existing gaps should be addressed by future research.”

The authors conduct their research by exploring the capabilities of the following 22 Threat Intelligence Platforms:

Continue reading “TIPs: An Exploratory Study of Software Vendors and Research Perspectives” →

ENISA Threat Landscape 2016

The ENISA Threat Landscape 2016 is out! This is the annual report published by ENISA that provides useful insights on the cyber threats observed during the past year. Apart from the top cyber threats, the report provides information on threat actors and major attack vectors observed. Finally, the conclusion section provides a collection of issues that will challenge the cyber-security community in the coming months/year in various degrees of intensity.

Some highlights of the report are the following ones:

Cyber Threat Intelligence and ETL – “Cyber Threat Intelligence: State-of-play” and the “CTI Big Picture“
Threat Agents – “Trends” and “Top threat agents and motives“
Conclusions – “Main cyber-issues ahead” and “Conclusions“

Read below the executive summary of the report:

Continue reading “ENISA Threat Landscape 2016” →

My favorite DFIR presentations for 2016

2016 was a year full of interesting presentations and conferences! I took a moment to think about the presentations that helped me better understand the threat landscape, introduced me to new tools and processes, provided inspiration for my team and help me with my daily operations.

The selection of the presentations below is subjective but indicative of the trends regarding the DFIR community during 2016. Moreover, the below sequence is completely random.

I would appreciate any feedback and I would be more than happy to be sent your ones! Enjoy!

Continue reading “My favorite DFIR presentations for 2016” →

Threat Intel Annual Reads 2016

Some of you may or may not know my weekly newsletter called “Threat Intel Weekend Reads” that started being published in December 2014. What I tried to do today was to go back to all the newsletter editions of 2016 and select my favorite headline articles. During the upcoming days I will try to deep dive once again and provide more insights on DFIR, Threat Intel and Threat Hunting! Any feedback would be more than welcome! Enjoy!

Continue reading “Threat Intel Annual Reads 2016” →

Cyber Threat Intelligence: Q n As (aka #ctijam)

See below Q n A’s that are related to Cyber Threat Intelligence (see #ctijam in Twitter for more details). The replies come from some of the most knowledgeable CTI guys out there.

Continue reading “Cyber Threat Intelligence: Q n As (aka #ctijam)” →

Tilting at windmills

A blog about threat intelligence, incident response, threat hunting, red/purple/blue teaming.

Category: threatintel