Threat Intelligence Quick Win

Introduction

Threat intelligence is no simple as creating an ioc scanner and scanning the environment and then that's it you're done. It is not like that. For me, it is about adding context to the customer environment, context to alerts that analysis is triage

IoC Sweeper or Scanner

IoC is the threat actor footprint (you can read more about the pyramid of pain right here: ) and why hashes are quite useless ()

So what is an IoC Sweeper, If you read current research about threat intelligence you know one or two things about IoC - Indicator of Compromised. People start to research the threat and or get compromised then publish this type of indicator for you to check/search in your IT/OT environment to know whether you also have already compromised or not -> "Alright Cool! That sounds amazing, how can I start to create my own IoC Sweeper" Like most systems there always has input -> processing -> output (this is just a simple version so it is called quick win)

Input: IoC feeds, threat feeds (which have IoC included), Twitter accounts that publish IoC, and many more source
Processing: a SIEM or any platform can store network, and host artifacts that you can search against the IoC
Output: Ayy I got a hit (Oh no I got a hit)

There are some metrics that you need to watchout

PreviousDark Web Investigation Attempt NextResources/Blogs/Links

Last updated 1 year ago

Was this helpful?