As I said in my first “Weekly Intelligence Summary”, I want to provide the latest cyber threat intelligence updates to some of my clients or friends who are working in the cybersecurity roles for the financial industries in Hong Kong. The term Cyber Threat Intelligence (CTI) or Threat Intelligence (TI) may have different meanings for different people. I have no intention provide you my definition in this presentation. I just want to share the joys and pains on creating these summaries and my belief on the statement of “IR is guided by CTI and CTI lives on the information collected from IR”.
Each week’s Summary is prepared after quick and dirty review from various subscribed feeds or sources that I found. Those tactical and technical intelligence are manually updated to my MISP instance (https://cisp.org.hk). On each Friday, select feeds are extracted from the Dashboards which are pulling from the MISP instance.
The first time I aware the term Cyber Threat Intelligence can be dated back in 2013-14. I gave a presentation with title of “Tracing APT_163QQ”. In that presentation, I had identified the IOCs, such as: blackteae.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and a whole block C-class IP addresses in Hong Kong. These IOCs are plot on a data mining map with Maltego.
In 2016, I presented my work called Maltelligence (malware-intelligence) in Cyber Security Symposium. The tool I created can parse IOCs from published security blogs or pdf papers and store them in a database. The collected IOCs can be further enriched with linked technical data pulling from OSINT sources.
The project is created with intention to allow malware/forensics analysts to perform correlation checks on attack campaigns launched against APAC region victims. That is absolutely a coincident, in the same conference, HKMA announcement the iCAST framework which caused the term - Threat Intelligence creeps into the minds of Hong Kong information security professionals.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.