Gain Top-Notch InfoSec Skills at SANS Las Vegas 2018. Save $400 thru 12/6.

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Threat Intelligence

Featuring 6 Papers as of November 17, 2017

  • Cyber Threat Intelligence Support to Incident Handling STI Graduate Student Research
    by Brian Kime - November 17, 2017 

    Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning.


  • Data Mining in the Dark: Darknet Intelligence Automation STI Graduate Student Research
    by Brian Nafziger - November 17, 2017 

    Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework.


  • Triaging Alerts with Threat Indicators by Gregory Pickett - August 25, 2017 

    Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don't know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn't enough time to get to them all. What if analysts could skip over those alerts that aren't a threat and just focus their time on those that are? If they were able to do that, they just might have enough time in the day to get through all of them. The answer to this question is Threat Indicators. Using past behavior, as measured by Threat Indicators, security analysts can determine how likely an adversary in an alert is a threat. Those that are less threatening can then be skipped over in favor of those that are allowing an analyst to get through their alerts much more quickly. It may even be quick enough for them to get through them all. This paper explores the use of Threat Indicators in through both theory and practice. Finally, it will measure its success through its use in the analysis of actual alerts to determine how effective this approach is in identifying threats and through this identification whether or not analysts able to get through their alerts more quickly.


  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.


  • Artificial Intelligence and Law Enforcement by John Wulff - August 21, 2017 

    After the 9/11 terrorist attacks against the United States, law enforcement, and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for information dissemination was State Fusion Centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) is the preferred technology for analyzing data to recognize behavioral patterns and create a method for the sharing of data in the fight against crime and terrorism. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. The use of AI can directly affect the cost of operations. Criminal activity locations can be predicted by AI so equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development and testing of these applications so that the options available to law enforcement and the intelligence communities can be increased.


  • Threat Intelligence: Planning and Direction STI Graduate Student Research
    by Brian Kime - March 29, 2016 

    Many celebrated leaders like Ben Franklin and Winston Churchill have said, in various forms, “Failing to plan is planning to fail.”


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.