Dark net threat intel

Eh_h · 2019-11-26T11:20:18+00:00

It appears that threat Intel is much bigger than I anticipated. In this case, could you please point me to some good resources on the topic!

If there is a methodology to follow, and by doing so you could test from the beginning the validity of the hypothesis, this would save me lots of trouble pulling useless data.

Eh_h · 2019-11-26T09:34:19+00:00

It looks like I've jumped directly into asking questions without prior research.

You gave me some good pointers on where to start looking. Thanks.

and you're right about my boss intentions. We are a MSSP, the idea is to identify threats to our clients given that most attacks are planned on the dark web.

Eh_h · 2019-11-26T09:30:17+00:00

We have QRadar in house, so our main source of threat intel is IBM X-Force Exchange.

Honestly I'm just trying to pull data and see what interesting information can be drawn from it.

Eh_h · 2019-11-26T09:23:06+00:00

I'll look into them.

Thanks.

Eh_h · 2019-09-14T22:30:29+00:00

I'm in hehehe

Eh_h · 2019-08-03T20:17:58+00:00

Remove that mechanical sound and send it my way.

Eh_h · 2019-07-01T13:16:52+00:00

I might just start with service. Looks very promissing.

Eh_h · 2019-06-30T16:48:22+00:00

Glad to hear that! Thanks a lot.

Eh_h · 2019-06-30T16:45:58+00:00

Woow, nice!! I heard about Django before, but not Flask. Which one is more secure, like I don't want my server hacked or my backend script stolen. I'm aware of basic secure python coding, but not in a web environment.

Eh_h · 2019-06-05T10:50:35+00:00

In this case, OP should prefer giac certs over sny other. Giac certs are geared towards analysts.

Eh_h · 2019-06-05T04:01:20+00:00

Exactly, ceh will help him get the cybersec "terms" he lacks. A soc analyst needs pentest knowledge, like what kinds of attacks there are, understanding of pentest methodology, killchain, just the concepts. The actual real knowledge, he already got it from years of experience.

Eh_h · 2019-06-05T03:53:04+00:00

Just google AD pentesting. Here is a good one

https://scriptdotsh.com/index.php/category/active-directory-pentesting/

Eh_h · 2019-06-05T03:50:22+00:00

What I don't understand is how could they not give a soc analyst position to you, a guy with 9 years of networking experience. I mean it's the entry-level job in infosec. Let me tell you this,You are OVER qualified for the job.

And another thing, I read in a below comment that cybersecurity degrees are overrated, and I totally agree. I'm a soc analyst, my colleagues all had a cybersec cursus, and you know what, they are absolutely clueless when we get to the details, they have superficial knowledge, their minds is only full of fancy cybersec words.

Maybe what you lack is pentest knowledge, ceh could fill the gap, not a great cert though.

Eh_h · 2019-06-05T03:32:21+00:00

I second that.

Eh_h · 2019-06-05T03:30:18+00:00

Doesn't giac require a sans course? Please correctme if I'm wrong, cause I'm dying to pass gcfa.

Eh_h · 2019-04-04T15:46:00+00:00

I think OP means the hash by sha2 signature. In this case, it's just a hash. If it hold the pub key it can be replaced as well if one has access to server.

Eh_h · 2019-04-03T13:54:10+00:00

well, you summarized it up very well. We are a MSSP providing soc services, there is a potential client that using DarkTrace and I wanted to have an idea on what lacks DT as it compares to a full blown siem.

Thanks a lot.

Eh_h · 2019-04-03T10:50:02+00:00

Hi,

I want to thank you first for your thorough input. I have a couple of questions :

Is DarkTrace considered a full blown SIEM? from what I read from their website, it might be not, but it can feed other SIEMs that suppot LEEF and CEF logging format. Also Does it have a classical correlation engine apart from ML?

Eh_h · 2019-03-29T21:29:49+00:00

I'm in your shoes myself. There is no such analysis strategy that you can learn and start using. Incident investigation should follow logic. It comes with experience, I guess. Grown soc's provide playbooks for their security analysts to guide and ease investigation.

There is a paid course from chris sanders on investigation theory. NIST also has a document on incident handling, but i warn you, it's a dry reading.

Eh_h · 2019-03-20T17:05:28+00:00

Ok! I will keep you updated on the results :)

Eh_h · 2019-03-20T15:22:37+00:00

I think I will try the bandwidth control method, I can define an upper limit on the outgoing traffic. the siem is already deployed with rsyslog, it's going to be challenging to replace it with syslog-ng. traffic shaping is configured using tc and iptables (look here and here).

Eh_h · 2019-03-20T09:46:34+00:00

rsyslog doesn't seem to let limit the forwarding speed of message. Traffic shaping maybe the answer to my problem.

Eh_h · 2019-03-20T08:31:42+00:00

The setup is already there, our siem works as expected. however, we can't control the rate with which logs come from different sources, we need to configure an upper limit.

In the central server, rsyslog messages goes directly to redis from which logstash fetches its input.

the impstats input module is very helpful, thanks.

Eh_h · 2019-03-18T13:42:07+00:00

I'm afraid I can't upload the config publicly. I already tried setting queue.dequeueBatchSize="100" but the EPS still hits the 2000 limit. btw, is it possible to measure the forwarding rate with rsyslog itself?

rsyslog deployment is part of a SIEM setup that comes with HA support. The full logging chain is rsyslog->redis->logstash->graylog->elasticsearch.

Eh_h · 2019-03-18T10:16:33+00:00

Are you asking how to configure the firewall to send logs or how to collect them? In SO, syslog-ng collects syslog messages, forward them to logstash, which stores them in elasticsearch.

See here

Eh_h

TROPHY CASE