Post #2 Intelligence Life Cycle – Collection

The collection phase helps respond to Intelligence requirements (including PIRs) and supports decision-makers and the Intelligence team. In this phase, the Intelligence team can develop a strategy to collect data directly related to the requirements. The data can either be sourced internally or externally.

What or where will a cyber-criminal target or attack ?YesInternet facing applications/systemInternal
What methods can a cyber-criminal use to target those systems ?NoYes. Here we are looking for TTPs. The HowExternal
Which cyber-criminals have capabilities to target those systems?No Yes. The who. Financially motivated threat actors, nation state actors External
Do we have historical data of the attempts against those systems?NoYes. Known exploitation attempts – includes The What, The How and The Who (if there was a successful attribution) Internal

Requirements Mapped to Sources

The following table shows some examples of Internal vs External sources.

Internal sourcesExternal Sources
Internal business units – if applicablePeer Industries
Configuration management database (CMDB)Government sectors
Security Operations team Vendors
Internal technical support teamLaw enforcement agences
Accounts and payroll teamClosed sourced communities

Sample Data Sources

Using the above table, we can infer the following.

  1. Intelligence team are to collect information on all internet facing application from internal sources,
  2. Intelligence team then looks for known methods (TTPs) used by the cyber-criminals known to target those systems from external sources.
  3. Assess the TTPs and disseminate the information to relevant teams with context responsible to protect internet facing systems.
  4. Repeat in identifying further IRs associated to given PIR.

Above is just one PIR mapped to sources. An organisation can have multiple PIRs provided priority is attached to it and relates to the organisation or business unit’s mission statement.

Side Note: Recently, I was asked how to select vendors. Vendors are considered external sources. Based on the above example, we can see that the Intelligence team should map their requirements to sources they will require when designing their collection strategy. Once they are mapped, the Intelligence team can evaluate vendor offerings (must do a Proof-of-Value) and rate the content against the requirements. Remember vendors will give you data (a good starting point); it is up to the intelligence team to make sense of it and provide organisational context for decision-makers.

Take care and be safe!

Post #1 Intelligence Life Cycle – Planning & Direction – Intelligence Requirements

Happy New Year to all, and let’s hope the year 2022 brings us good things. Unfortunately, 2021 was a bit hectic, which impacted my blog writing. So with this new year, I wanted to keep writing and start with one of my favourite topics – Intelligence.

The post (hopefully others) is to assist individuals or teams looking to start an in-house intelligence program. I will begin with Planning and Direction as the first part of the Intelligence Life Cycle. Intelligence analysts follow the Intelligence Cycle when a mission statement from senior/executive management is executed. This process ensures the analyst do their job accurately. These five steps are Planning & Direction, Collection, Processing, Analysis & Production, and Dissemination. Let’s take a closer look at each step:

  1. Planning and Direction: When TI analyst or team is tasked with a specific job, they begin planning what to do and how. As a team they should move in a specific direction to get the job done, listing what we know about the issue and what we need to find out. We discuss ways to gather the necessary intelligence. This is where we start with intelligence requirements.
  2. Collection: Based on requirements TI team collects information overtly (openly) and covertly (secretly/closed source). Reading public articles, newspapers and social media posts and blogs, listening to foreign radio, and watching overseas television broadcasts are examples of “overt” (or open) sources for us. Other information sources can be “covert” (or secret), such as information collected with sources on dark web forums, direct access to law enforcement etc. . For instance, TI analysts could actually become a part of a underground forum or a group discussing ways to target a bank.
  3. Processing: TI team takes all the information that they have collected and put it into an intelligence report. This information could be anything from a translated document to a description of a threat.
  4. Analysis and Production: During this step, TI team take a closer look at all the information and determine how it fits together, while concentrating on answering the original tasking (identified during intelligence gathering in planning phase). TI team is to assess what is happening, why it is happening, what might occur next, and how it affects banks interests.
  5. Dissemination: In this final step, TI team gives their final written analysis to a decision-makers (stakeholder). After reading the final analysis and learning the answer to the original question, the decision-makers may come back with more questions or act per recommendations if any. Then the whole process starts over again.

Planning and Direction is a phase where I strongly suggest considering human elements. Yes, I am talking about getting expertise, especially with an Intelligence background with a technical understanding of Cyber elements. Yes, giving a chance to fresh grads, fewer experienced individuals is ok, but still, seek out talented individuals who can assess an event thoroughly without bias and anchoring.

What are Intelligence Requirements and why are they required?

As per my LinkedIn post, Intelligence requirements are time-phased, mapped or tied with a single question and help make a decision.

Firstly, let’s understand what Intelligence requirements are, why we prioritise certain ones, and how they differentiate. For any Intelligence operations, an objective or, say, a mission statement (in the form of a question) is required, which helps determine requirements.

To have a working (different from successful), Intelligence program or, say, operations, a team or an organisation needs a way to measure it. One of the most crucial attributes of measuring the framework is the requirements. Once all these requirements get mapped and fulfilled, we can say that the Intelligence program is successful. With this blog article (first of many, hopefully), I hope to share what I know and how I believe an Intelligence program is established, starting with requirements gathering.

As we know, requirements typically come from decision-makers which may be mapped to some kind of mission statement. These requirements help them make a decision and help on a strategic level, usually towards reducing the organisation’s overall risk posture. However, I always had questions such as

  1. So how many decision-makers can be in an organisation?
  2. And do you ask each and every stakeholder?

Many teams do follow this path. Talk to all department heads and get multiple responses labelled as requirements. I would personally label them as “wants” rather than “needs” as they are mostly “I want to know all X targeting us”. The flaw here is that the answer to the question is precise to the unit or stream they manage. Converting them into something actionable that can defend the organisation becomes tedious, resulting in a non-effective intelligence program.

NOTE: Any vendors/organisations or entities who have already developed the program and are working should continue to do so. I am not saying they are wrong or not the way they should be. However, the following can be used as a reference or just a good read.

Here, you may see I have separated business and organisation as I believe their threats can be different and overlap. For example, consider a financial institution vs a government body. A financial institution has customers who use their commercial services, while a government body such as the one issues driving licenses are citizens and is not considered customers.

If the same exact type of cyber-attack (e.g. Denial of Service Attack) successfully takes the public-facing site of a financial institution and driving license site, it impacts

  1. Both organisations reputation that leads to trolling on social media, news articles etc which can impact company shares (for financial institution) if downtime is prolonged
  2. For financial institutions possibly loss of customers and in some cases investors if the event is not managed properly.

For financial institutions impact is more on customers due to their inability to access their data or account, which can channel into complaints, overload on technical support teams and complaints on social media. Yes, the organisation has to manage this; however, a business continuity plan kicks in this scenario.

Although the weapon of choice was the same, the impacts were different, and therefore, the responses were diverse. These responses are, in most cases, approved by decision-makers most likely influenced by the requirements mapped to their mission statement. It is highly likely, Intelligence team was not involved; however, a mission statement should be the same and can be taken as a priority intelligence requirement to begin the Intelligence cycle.

There is a possibility that a threat can impact both business and organisation, but I think threats can impact them individually. Therefore, these individual threats should be treated separately, and the underlying requirements that a business unit or an organisation requires should also be different. The following table is a rough representation of the type of threats and their impact.

ThreatImpacts BusinessImpacts Organisation
Denial of Service Attack against customer facing applicationsYesYes
Internal system compromise – MalwareNoYes
Insider leaking informationPartially Yes
Ransomware – depending on the extent of compromiseYesYes
Customer PhishingNoYes

Threats that can impact business and organisation

Based on the above table, decision-makers within a business unit or an organisation should align with their mission statement, which could be business continuity or protect the organisation from illegal activities.

Now, let’s dive into the type of questions that decision-makers should ask, which can assist the Intelligence team in assigning priority and initiating further steps of the Intelligence life cycle. Alternatively, a decision-maker can give a priority itself.

From Questions to Requirements – The What, The How and The Who

  1. What or where will a cyber-criminal target or attack? A decision-maker can ask this question which then can be categorised as a Priority Intelligence Requirement. The answer to the above question will most likely start with internet-facing applications/system, and therefore Intel team now have to rely on their Collection strategy.
  2. The corresponding Intelligence requirement follows that the Intelligence team either answers them or looks for more information, which is part of the collection phase discussed here.

I will end the blog as I want to keep it short and informative. I will be taking the further leap into phases of the Intelligence lifecycle in the coming blogs.

Take care and be safe!

Cyber Threat Intelligence. Is it for me?


I have been working as a Cyber Threat intelligence area from quite a long time and today I want to talk about a question that I often get asked.

Do we need Cyber Threat Intelligence?

With this article I will try to answer as much as I can based on my personal experience.

Firstly, one must understand Cyber Threat intelligence and how it can help your organisation. But before we venture into Cyber world we must know Intelligence has always been there before Cyber was even a word. Simply, put Intelligence is ability to acquire certain knowledge and skills and apply where applicable or where they fit. However, as we know Intelligence is a very broad and there can be multiple answers to the question, how can we select one single answer?

Article from Martin T. Bimfort evaluates multiple definitions and perceptions of the person who is defining Intelligence in there own context with the knowledge and skills they have gathered in there field.

SANS CTI course generalized the definition as following:

Intelligence is the collecting and processing of information about a competitive entity and its agents, needed by an organisation or group for its security and well-being.

So, meaning of Intelligence for military individual and a chess player can be completely different and they both be right. However, is it possible they can have same goal? Yes. We all want to win!

Who are we are trying to win against? Enemies, nation state attackers, rival organizations or someone sitting next to you. Let’s call them Threats – internal or external. So does this threat existed before Cyber? Of course they did. However, the threats themselves were limited with their knowledge and skills compared to now.

From the beginning of the world, there has been war, where Intelligence helped to prepare against enemies. However, this was mostly HUMINT – Human Intelligence, where one of your trusted individual would go around enemy states and give the information back. We didn’t had emails so Falcon, dove were used to transfer messages. Than came ciphers to hide actual messages, morse code etc. From then to now we have seen tremendous uptick on tools and technologies that aids us in defending against these threats. Main point still remains, our threats have same tools and technologies. As time went by, Cyber Intelligence came into existence and now everybody wants to do it.

Note: Intelligence is a field of expertise and not everybody can do it. Steer away from those who claims, we provide Cyber intelligence or Threat intelligence services and just sharing IP addresses and sending email notification without context.

So coming back to the main point what should organizations consider if and when they require Cyber Threat intelligence services and what it actually is.

For me main reason to have a Cyber Threat intelligence program is that it provides actionable outcome or information that helps any organization to understand their security posture, how to deal with current threats, fills any security gaps and assist in reducing over all risk. For any organization that is planning to get into Cyber Threat Intelligence following are my prerequisites:

  1. Have a management agreement|vision|understanding in why they want the Cyber Threat intelligence program.
  2. Make sure its not a checkbox that needs to be ticked because of a compliance or insurance or its just cool to have it.
  3. Understand current Risk model of your organisation and works towards a strategy that aligns to your risk model.
  4. Understand Intelligence have different categories and they all require equal attention. Will discuss more in coming articles.
    1. Operational
    1. Tactical
    1. Strategic
  5. Hire expertise – being blunt, companies do tend to transfer or promote internal staff who lacks knowledge and experience in cyber intelligence including adversaries tools and techniques and believe it will yield positive results but actually steers the team to never ending ocean.

Organization may have more or less prerequisites, however I have seen some organization will just implement a program without considering any of the above points.

Consider following DONT’S:

  1. Do not believe that Cyber Threat intelligence is achievable by getting a platform or a service. It will help but they are just to supplement an established Threat intelligence program and assist in finding missing pieces.
  2. PowerPoint presentation IS NOT EQUAL TO expertise in Cyber Threat Intelligence. There are lot of vendors now jumping in Cyber Threat intelligence that believes a nice platform with indicators going to SIEM is the intelligence. They are just pretenders and one should stay away from them.
  3. Peer pressure : Do not think that your peer has Cyber threat intelligence program|vendor|platform, we should have that as well. Many organizations have done that mistake by just following what peers do or are doing, but forget the most important part to understand their own organization requirements, threats etc. This leaves them starting their journey with somebody else’s goal.

Once we understand our prerequisites and what is required we take a step further and understand what and Cyber Intelligence program should do. I have created my own Pyramid of Cyber Threat Intelligence and hope it can help others.

So how I read this. The bottom tip of the pyramid is where Intelligence provides actionable information which can be one or more shown under the line.

Screen Shot 2018-08-13 at 8.59.38 am

Threats are known to the organization via social media, vendor posts and direct notification and/or news articles. Information gathering starts from there and multiple phases that are shown in the pyramid.  Assessing and analyzing available data and identifying actionable information and disseminating the same to the relevant teams within organization to prepare our defenses against the identified threat is an output of Intelligence.

I also use the Pyramid to set my priorities. Closer to the intelligence section higher the priority it is. Organizations can take similar approach but may have different pieces that makes the pyramid. Remember the pieces should align to your organization Risk model and/or managements vision for what Cyber Intelligence team are supposed to do.

So answer to the question do I need Cyber Intelligence program is YES. Following points summaries my ideology that organization may want to follow when you want to start with the program:

  1. Gather requirements from your management and understand their vision of the Intelligence program.
  2. Understand current Risk model of your organization.
  3. Identify key people in your team with expertise|experience in Cyber Threat Intelligence and if not available consider hiring them.
  4. Once requirements are set, plan to put the requirements into action. This involves creating processes. Processes should be created keeping your audiences in mind. Audiences are the people who will receive this actionable information.
  5. Identify current tools and technologies already in place that aids the team in providing the information.
  6. If provided tools are not able to assist Intelligence team in their tasks look for alternatives. Alternatives firstly should be in-house development or an open source tools. However, these alternatives although has no direct cost involved, one must understand there is an indirect cost involved such as maintenance, hiring expertise to build the tool and managing the tool etc.
  7. Collect evidence for what is working and what is not. The evidence can help the team to prepare case to the management if there is any chance of asking more finance if/when required.
  8. If the team is decided to get external help identify which gaps are you trying to fill. Convert the gaps into use cases and the evidence collected will help us in the stage And if we decide external help is required, following are the few point to identify vendors:
    1. Identify vendors
    1. Convert the gaps into use cases. Provide the use cases to about 3 vendors.
    1. Check with your peers. This helps in to understand why they choose certain vendor.
    1. Do a bit of research of known vendors with expertise in your line of business
    1. Look up there external presence such as public articles, intelligence reports, known work with law enforcement etc.
  9. Once identified give them the use case and see the outcome and verify whether it is actually filling your gaps.
  10. If yes take it to the management
  11. Cross Fingers 🙂

Before finishing DO NOT consider following vendor types :

  1. Vendors with no public presence or any evidence of helping community.
  2. Consultancy firms who just talks about in social media and conferences with no actual work in intelligence.
  3. Vendors who are not in expert and does multiple things and thinks adding Cyber Intelligence service on the brochure is the way to go.

I would still like to name few vendors that one should check out. This is purely based on my personal experience and their assistance to community.

  1. GroupIB : Good with their malware and carding information. Been known of IR in multiple countries.
  2. Proofpoint : Good with their malware intelligence.
  3. Recorded Future : Good with their public blog articles and presentations.

Also, wanted to thanks Robert M. Lee, instructor in SANS for Cyber Intelligence course.

Final words:

Intelligence should assist in making decision to assist organization in improving its security  posture. Intelligence starts with your logs so make sure you listen to them what they have to say. Intelligence should sit in the middle of all other teams and can assist at every stage within organization so transparency and sharing of information helps.

I hope the article is useful. Thoughts and feedback are welcome.

Gathering Information about targets

Part II

Once the target is identified/determined attackers begin their tasks. Now we must understand, to launch an attack or gather information, they will rely on the available tools and capabilities that they have.

As per my previous post targets are also determined based on the tools that they can buy or create based on their intent, motives and capabilities. Most of the time their motive is financial gain. Below are few tools that are available to sophisticated attackers and script kiddies as well:

  • Kali Linux comes with plethora of tools starting from gathering information to launch attacks.
  • AutoSploit
  • MetaSploit
  • PowerSploit
  • Exploit builders – Available on multiple marketplaces – these are usually for sale/rent.
  • XXXXX-as-a-service – Malware, ransomware, crypto and others. These services are either for sale or rent. Customized services are also available based on requests such as banking injects.
  • Services like BlackTDS – BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. Proofpoint article.
  • Underground forums/marketplaces where the mentioned or other services and/or tools are advertised.
  • Cracked vendor tools
  • Tools/Project available on Github.

Few underground marketplaces :


Why this is important to know? As a target (any organisation or individual users) one should know about the tools that can be used against that. Monitoring such tools and understanding them can assist to prepare against whats coming.

More about information gathering can be found on my previous blog entry :

Consider a scenario of phishing users to get the credentials. Now understand when these credentials are collected they are mostly sold on marketplaces.

  1. Motive : Financial Gain
  2. Targets : To phish a user they need to contact them. Its mostly done via their email address or phone.
  3. Getting Emails/phone numbers : Again, this goes back to marketplaces where people sell dumps containing emails and phone numbers from other site. These hacks are mostly done to get vouches and recognition on the underground marketplaces. Other way to get emails/phone numbers are scanning social media sites and other publicly available.
  4. Tools : Bought a phishing kit or created phishing kit. There are document templates and pages available that these actors can use for phishing.
  5. Phishing hosting or compromise a site : Tools mentioned about such as blackTDS, VPS service providers etc helps to host the phishing site. If not attackers looks for vulnerable public sites and host their phishing pages. To compromise they use tools available in Kali for example.
  6. Actions : Mostly the credentials are stored on a database via POST information to php or they are sent to an email address. These credentials are then either used or sold on underground marketplaces.

The cycle continues with number 1 for same scenario or different.

What can we do to stop this?

This can’t be stopped. However, we can make it harder for the phishers or not fall for the phishing by educating ourselves. Being pro-active and notifying phishing attempt to authorities or the organisation that has been phished can also help to take down the phishing site as early as possible.

Following are some links showing some phishing examples:


Profiling the adversary : Target Determination


As mentioned on my recent LinkedIn update, this is the first blog article in this series about what our adversaries do and from their objectives/actions how a target can learn.

Executives or higher management asks mostly following questions :

  • What is current threat landscape ?
  • How do we protect our organisation ?
  • What is targeting us ?
  • What are our current cyber security risks ?
  • Are we getting return on investment from the the products we have ?

Mostly the executive summary is trying to answer these questions – sometimes other. We always looks for the answers to these questions from our vendors, internal teams etc. However, are we asking right questions ? How about,

  • Why are they targeting us ?
  • What kind of information they are after ? Why ?
  • What kind of data/information they are leveraging ?

To answer these questions we need a combination, to profile what adversaries are doing and what we know about our own organisation.

Based on my experience, I have noticed that there are very few documentation or approaches out there with regards to what Targets (organisations not individual users) should be doing before and after any adversary targets and attacks them. Normally, vendors or organisations follow a framework or a model that is out there.

Lockheed Martin’s Cyber Kill Chain is a good model to understand attackers actions  and understanding their objectives and how an organisation as a victim can defend themselves. However, in my hypotheses before targeting an individual or an organisation or a nation, one must first determine the target. This determination is based on INTENT, MOTIVE and CAPABILITY of an attacker/adversary.

Mission of the blog is to understand what steps does attackers/adversaries take, profile them based on the steps taken and as a target what we are suppose to do. Seems like we perform reconnaissance ourselves. Many organisations put this under Reconnaissance phase (Information Gathering), which is wrong. Consider you are traveling :

  • Target : I have 4 days of holidays I will go to place A.
  • Reconnaissance : How do i get there, means of transportation, which hotel to stay in etc

You can see clear differences between the two.

At the end of series, the goal will be to profile attackers, their objectives and what tools, techniques and procedures they use and how we can defend ourselves or at least be pro-active in our incident response. Of what I have mentioned, likely is known globally but, still hoping to spread the word. Later, will also try to match with Diamond model which is very useful in understanding an Attacker and their capabilities.

Every attacker/adversary has an INTENT and MOTIVE to perform an attack or target an entity and for a successful attack their capabilities are also important. From highly sophisticated to script kiddies they have certain objectives. However, intent and motives are majorly used in law and justice field and not on threat report. At-least the reports that I have seen does not mention it. In my opinion, the fields is not only when we have to go to court, but we can also use it to understand our adversaries and  prepare ourselves.

This being said, for me the first phase should be Target Determination or Determining a target, that fits attackers/adversaries objectives. Recently, MITRE has updated the TTP matrix with Pre-ATTACK. The matrix provides the ability to prevent an attack before the adversary has a chance to get in.

We can distribute attackers/adversaries into two groups :

  1. Insiders – Disgruntled employees,
  2. Outsiders – Ex-Employees, Nation State attackers, cyber criminals, script kiddies, hacktivists etc.

Few motivations/intentions :

  1. Financial gain
  2. Fame or generate vouches – Require to gain trust of underground or group of hackers
  3. Intellectual challenges
  4. Damage or disrupt services
  5. Cyber espionage
  6. Personal grievances.
  7. Political motivation
  8. Terrorism

Intentions are sometimes hard to prove, but mostly our adversaries will have malicious intentions.

Only after deciding a Target, they will perform Reconnaissance or Target Profiling. Now, where the attackers/adversaries look is depending on the target or what motivates them. Target can be a single entity or an organisation or a nation/country that accomplishes their intentions/motivations.

Single entity as a target – Individuals are mostly targeted for their personal data. Their personal data such as credentials of their email address, online banking, medical data etc. These information are normally sold on forums and/or marketplaces. Other example is targeting individuals with high positions in corporate places or an institution.

Organisation as a target  An attacker have varied intentions in targeting organisation. Damaging reputation, personal grudge, financial gain or sometimes part of conspiracy and/or nation state attacks.

Nation/Country as a target – This is mostly politically motivated and intentions are mostly malicious towards harming the nation or a country and its infrastructure. Disrupting day to day services that affects human life is also an intent. Recent example – NotPetya malware attack to Ukraine. Here, attackers/adversaries understood their target and profiled them and launched the attack.

In all cases, the better an attacker/adversary profiles their target the better the attack will be.

For individual users, beside security awareness, being careful is the key here. The information that they share or provide can be used to target them. During a presentation I came up with the following tagline.

“Charity begins at home and intelligence begins with your logs”

So attackers/adversaries spend days, weeks or months to collect information about their target, as an organisation for example, you already have this information but,  not using to gain tactical advantage over our adversaries. So what should a targets do ?

  1. Take time to understand your organisation. Understand what information do you have floating on the network and sitting on the systems.
  2. Should know type of information available publicly and understand the risk and how it can be used by an attacker and type of attacks that can leverage these information.
  3. One must take this into consideration that attackers will use available tools to assist them. Mostly these tools are available or sold in underground marketplaces. Being aware of the tools is good way to start. These tools are their weapons and we must know how an enemy weapons work to defend against them. For every poison there is an antidote.
  4. Further action on any successful breaches and data exfilteration beside incident response and BAU activities. If email address were seen on pastebin don’t just change credentials but also understand that these email addresses will be used for phishing or spoofing. Ideal is to change email address and convert the breached one into honeypot email addresses. This will help understand type of attackers targeting your organisation. If not feasible have a mechanism to monitor those email address and profile the incoming spam if any.
  5. Brand monitoring and domain registration – Organisation should be monitoring their brand mentions and/or any domain registration that can be used for phishing or a fraud or to launch attacks.
  6. Phishing is wildly used to lure users and entry points of malware. Organisations should also have a team looking for phishing sites and pro-actively perform takedowns.
  7. It is also ideal to share information of any attacks or compromise within peer industry to understand the possible exposure of an organisation.
  8. Understand your service providers and contractors as they can be a exploited to launch the attack.

Following points are few examples of what kind of information gets out or available that aids an attacker in launching the attack:

  1. It is important to know how your security controls are responding to inbound attacks. The information that they send back (for example a reconnaissance attempt) can also be used to map the network or understand type of device that is stopping adversaries. For example inbound scan blocked by firewall and responding with ICMP network unreachable message.
  2. Websites such as Google and Shodan can be used to collect lot of information about a target and therefore should be monitored. Especially accidental upload by internal employees. Eg – Employee uploading an excel sheet with organisation data on VT, just to make sure there is no malware. Pro-actively monitoring this can assist us to contact respective parties to take the data offline before entities with malicious intent get there hands on.

A Threat Intelligence and/or Hunting team must have this kind of approach. Organisations where there is budget limitation, can also engage their security operations or security service providers to perform these actions on their behalf. Frequency depends on organisations capability to invest in resources.

With this I will end part 1.

SANS FOR578 Cyber Threat Intelligence – Course Review


Advanced greetings for Christmas. Before I start make sure to check out SANS Holiday Hack Challenge here.

Recently, I was honoured to attend one of the SANS course For578 – Cyber Threat Intelligence. SANS instructor was one of the best in business Robert M. Lee. My reason to attend SANS training is purely because they are one the best security training provider, and when they announced FOR578 last year I was very keen in SANS take on Threat intelligence. I have been self-learning about threat intelligence via Lockheed Martin, various webcasts via SANS and other providers and realised that every vendor has different approach with Threat Intelligence.

I had prior knowledge Threat Intelligence and this course helped to me to get the best out of it.

After the end of the first day, I was having a very good understanding with what Intelligence is and how it is associated with Cyber Threats. Most of the time, in name of Threat Intelligence, vendors or service providers end up sharing Threat Indicators with some nice dashboards and portray the system as Threat Intelligence system. I have always been saying we need to move beyond Indicators based systems (yes its still good to have those), and concentrate more on Tools, Techniques and Procedures of our adversary. The content of the course actually aligned with my thinking and helped in better carve my thinking and actually implement in real life.

During the course, I learned how to track a threat actor or a campaign and how to best showcase that information across your organisation. Tools such as CRITS, MISP, Threat_note were used. Kill-Chain model and Diamond Model were explained in detailed and LABS were designed in way to implement these models.

One of the interesting LAB was to review vendor Threat Intelligence report. The report could be regarding a APT, analysis of an threat actor or generic briefings across the global related to Cyber Threats. In this exercise, we learned about biases and how multiple input to one single report may change the actual outcome of the report or identification of adversary.

Other LABS were related to extracting intelligence out of vendor reports, tracking a campaign and what artefacts to collects during intelligence exercise and how to provide evidence to your hypotheses. LABS that concentrated in how to share Threat Information via STIX, YARA and OpenIOC. The course has very good real life case studies with regards to Thr

At the end of the fifth day, I knew what actual Threat Intelligence means and how we can use that in our organisation.

For those who are thinking to take the course, would highly recommend to take it.

Evoltin POS Malware – Kill Chain Mind Map


Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.


Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

CIF – Feodotracker threat feeds

Good Day guys!!!!!.

Was able to write another yml script to collect feeds from Feodotracker and has been uploaded on my github account and also a project that I am honoured to work on with CSIRT (with guidance of Wes Young) – BEARDED AVENGER. This is a new version of CIF.

Threat feeds is provided in RSS format and therefore RSS parser have been used. YML script is available on my github account –

Happy Hunting!!!!!!!

CIF – cleanmx threat feeds

Good Day today indeed. Have finally got some time to work on my skills for CIF and writing configuration (YAML scripts) to fetch open source threat feeds.

Started with a disabled configuration (/etc/cif/rules/disabled/cleanmx.cfg) for cleanmx. The cleanmx.cfg file provided should be referenced for the remote sites and id for cleanmx, that will require to write yml script.

The threat feed is provided in XML format and remote site link can be fetched either from the config file or directly from the cleanmx site ( I will always recommend to check the links for the feeds on the browser regularly to see whether it is responding and whether it is correct link to fetch the feeds. Sometimes they change.

YML script is available on my github account –

I will be writing more scripts to fetch open source threat feeds. If you guys have any threat feeds that are open source and not covered yet please let me know.

Happy Hunting!!!!!!!

CIF – Collective Intelligence Framework – My deployment

Morning Everybody!!!!

Been working on crafting my skills in Threat Intelligence and available open source system. As the title says I have been working on CIF from CSIRT and wanted to share my experience and my personal future developments.

Following are few screenshots of the system :

threat feeds ioc type applicationscif map

CIF comes with few default threat feeds and parsers. The scripts have parsers and remote hosts that are sending feeds. IOCs (Indicators of Compromise) such as IP address, URL, MD5 etc are fetched from the feeds. The scripts are written in YAML – human reabable text based language.

Visualisation is provided by Kibana (works on kibana 3 – shown above and Kibana 4 ) and ElasticSearch (1.4) is as database. Working on getting this to be updated on 2.x – requires full cluster update.

Experience :

  • I am running on a VM, Ubuntu, and have no issues. Sometimes do have to restart apache2, elasticsearch and cif services to populate custom dashboards and real-time data. Although one can make it as automated task by scripting or configure in cron tab.
  • System responsiveness is very good and intelligence feeds are quite good. Can be easily integrated with SIEM for additional context.
  • If you are security researcher and able to identify new IOC, you can update them on and than it can be pulled as feeds onto the system –

Future work:

  • I am currently working on more feeds – open source and writing parsers for them. I will be updating them on my github account :
  • STIX and TAXII – if i can
  • Working with CSIRT with regards to cif v3 – Bearded Avenger

Final words:

This is an excellent open source initiative from CSIRT ( in providing us with a framework and platform to share intelligence. One of the reason why hackers are one step ahead is they have better information sharing than organisation fighting against them and most of that is free and available in underground – dark net as we say. Meanwhile, vendors charges thousands and millions to share threat information.