In this updated version of my threat intel framework presentation (using Evernote as a backend database) at Brucon, I have matured the schema a bit, formalizing and generalizing the tagging structure for the different notebooks. As before there are also a few implementation examples. Thanks to the Brucon crew, especially Clement Herssens (@cherssen), for running one of the most well organized conferences I have participated in!
Creating REAL Threat Intelligence … with Evernote
In the presentation that threat intel vendors do not want you to see, threat data from open source and home grown resources meets Evernote as the ultimate braindump repository with the outcome of producing real actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses an experiment of using Evernote as a informal threat intelligence management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered include the advantages of using an open and flexible platform that can be molded into an open/closed source threat data repository, an information sharing platform, and an incident management system. Although using Evernote in this way in large enterprises is probably not possible, organizations can apply the same reference implementation to build similarly effective systems using open source or commercial solutions. And yeah … threat intel vendors still hold a role in ultimate threat intelligence nirvana but there is a lot you should do on your own first in order to better understand your requirements in searching for that ideal partner.
Today’s post pic is from Brucon.org. See ya!