I have not been uploading threat intelligence data the last few weeks. I am in the process of relocating to a new home, and have begun to break down my home lab VMs & equipment. I plan to release a summary of my data over the last few months before leaving my current residence, and am interested to see how the numbers change vs. week over week. Even though most of the attempts are bots and populate most brute force lists, there could be some unique attempts of interest. Since I’m making the move and putting some of my research on hold, I though it would good to reflect on what I’ve seen, what has worked, and what I’d like to improve.
I’ve been happy with my data collection process, but I do see issues with its application. I have a passion for threat intel, but I’m also torn because of its limited use and overhead associated with its collection. For personal research and gain, I can’t fault anyone for standing up a lab to collect threat intel. Typically, IOCs collected from my honeypots are scanning large swaths of ip ranges. This mean my IOCs aren’t particularly unique, and most security vendors are seeing the same data. If you’re paying a security vendor to protect your network, whether its AV, IPS/IDS, or a MSSP SOC, they should* also have access to this data and much more. This means my IOC collection is mostly redundant. The biggest value from collecting your own data, is the ability to single out targeted attacks and alert on those IOCs in correlation with network/host logs and a SIEM. My work uses Splunk to provide this correlation, and we’ve had success identify outbound connections associated with attacking IPs. If you’re going to stand up some honeypots, use IPs and fqdns associated with your organization. This will enable you to identify target attacks vs. collected data on a random AWS IP address.
At my next residence I hope to expand my home lab, enhance my threat intel process and automate as much as possible. I need to work on a couple scripts to make my honeypots a bit more stable, and auto generate my threat intel reports. This could be done on my website, or contributing to a service like Alienvaults Open Threat Exchange. I feel my biggest gap is still contribution to the community. I need to find a way to automate uploading of data so others can ingest it and correlate it against their network logs. We use OTX and Splunk at my work to do additional IOC correlation, which will be the most likely path I will take.
Expanding topics of interest
While I enjoy threat intelligence gathering, I want to continue expanding my knowledge of incident response and reverse engineering. I wrote a few articles about identify the Zeus malware using security onion, remnux (RE), and online automated tools. I really enjoy reverse engineering and incident response and with limited incidents at work, need to continue using these skill sets for when they are in need. I’m also looking to expand my articles on Splunk and may even release a Splunk honeypot app that I’ve been working on for some time. Even without a home network, there’s plenty of research that can be done with a few properly setup VMs.
While I’m sad to miss out on research data for the next few months, InfoSec has plenty of topics for me to cover. As a life long learner, that’s why I love this field, there’s always a new challenge or topic to learn. While some of my skill sets aren’t used as often as others (incident response, reverse engineering, pentesting) I think it’s absolutely crucial for every infosec professional to be able to pull from personal experience and provide context in conversations. I do have experience working with non-technical managers that oversee information security, and I think the lack of that experience leads to cyclical arguments and overall paranoia. InfoSec professionals unfortunately experience burnout, which takes its toll after years of analysis, but it’s the mental baseline we create to enables us to make proper security and business decisions.
Hoping to post again soon, looking forward to new adventures and challenges!