1、Whoami CTI analyst Just finished my masters degree Certifications include CISSP GSEC GCTI Splunk CertsThe Pyramid of Pain The Pyramid of Pain Indicators Indicators of Compromise AKA“IOC”of Compromise AKA“IOC”https:/detect- fact:Published in 2013 by David BiancoBAGPIPES!BAGPIPES!Bagpipes the official
2、 CTI instrumentHow Long To Retain IOCs?Depends on many factors Opinions/hot takes Incident Response has taught me Where to keep IOCs?Platforms often referred to as“Threat Intelligence Platform”or“TIPs”Range for anywhere from Free-99 to six figures/year.Some onprem,some SAASNetworkDNS RequestsSIEM(SP
3、LUNK/ELASTIC)IOCs from FeedsThreat Intel PlatformIOC FeedsALERT!B detectedAnalyst Review/InvestigationTypical WorkflowWhere to get IOCs?Where to get IOCs?Wide array of IOC Wide array of IOC feeds available feeds available https:/ Lets buy old domainsLets buy old domainsSee whos contacting themSee wh
4、os contacting themSay definitively if old infections Say definitively if old infections are still calling home are still calling home July 24,2022July 24,2022Research time!Research time!AND THENAND THEN.nothing.nothingChallenge:I have an idea,but dont know how to do it,dont Challenge:I have an idea,
5、but dont know how to do it,dont have the time to go spend hours learning how to setup have the time to go spend hours learning how to setup servers servers November 22,2023(17 November 22,2023(17 months later)months later)Explained what I was doing Explained what I was doing They did not careThey di
6、d not careI suspected threat actor may be trying to reclaim old domainI suspected threat actor may be trying to reclaim old domainThey did not careThey did not careExplained I redirected traffic to my Explained I redirected traffic to my LinkedinLinkedin for for lulzlulzThey did not careThey did not