This has been a very interesting topic for me to research, and has some very direct benefits to my workplace too. Being able to spend some research time in collecting attack data, and then perform correlations to generate actionable intelligence has been very rewarding professionally for me.

Using a technique or methodology like this in communicating threat intelligence to an organisation would be great, especially where that organisation may not fully understand their threat landscape.

Thank you once again to all who have come and had a look at my progress.


Final Report

Traditional risk and vulnerability management focuses on creating a defensive perimeter for and organisation’s information system environment, this can largely be achieved through a number of compliance based frameworks, and will provide defensive measures and risk mitigation for the threats which those controls have been intended to address.

However as threat vectors evolve, more technologies are adopted for integration into organisational technology stacks, and threat actors become more emboldened, being able to prioritise threat and vulnerability management on a threat and risk basis becomes more important.

Being able to adapt an organisation’s vulnerability management program to address emerging threats may help that organisation to better address advanced attackers, and mitigate the potential of zero-day attacks which may have been observed in other organisations.

In addition, being able to translate emerging threats and vulnerabilities into enterprise risk management vernacular could garner the support of senior management to redirect assets as required to address emerging vulnerabilities, and provide the organisational leadership better content to understand how external cyber threats may affect all facets of the organisation.

This research project was not envisioned to be so complex, and deep when I started researching this subject. In additional to scholarly articles which described abstracted concepts which focused on either compliance, technical capability, or statistical analysis, sources for this research also included security researchers, intelligence reports, and personal experience within the cyber security field.

Continue reading “Final Report”

Week 12 – Progress Report

I am well into constructing the final report at the moment, and the final seminar is being developed in parallel. Cruelly, just as I was backing off from collecting data from the honeypot networks to generate this report, the honeypot network of sensors experienced their largest spike in traffic and malicious artefacts being received.

No matter the outcome of the research, I believe I will continue to maintain this environment for further research into malware analysis, but also in fingerprinting campaigns to identify perpetrators and craft mitigation strategies.

Week 11 – Progress Report

With Assignment 3 having been submitted this week, I will be focusing again on developing the research content to address the defined topic. From the 12 articles I chose to analyse, a considerable amount of information was considered from each article, with elements likely to be incorporated into the final product.

Research thus far concerning Open Source Intelligence for Threat Intelligence, has focused on the identification of Threat Actors, Vectors and Methods who are known to be exploiting Vulnerabilities. Those vulnerabilities may be present within organisations and their systems, which when used in combination with the risk registers in identifying their threats and vulnerabilities, would allow for better contextual discussions regarding risk management and incident response.

I have taken a small break from actively managing the honey pot environment the last few weeks, however I have collected a very large repository of intrusion attempts against what I could describe as a mock organisation’s external network.
These exploit attempts, in combination with public information will allow me to generate assistive information which will compliment the final report, and seminar content.

So far, I am running a little further behind schedule than I would like, however I feel I have enough information already to progress the final report and seminar structure to a very mature state.

Week 10 – Progress Report

I believe I have missed a couple of weeks of reporting, but I have been very busy digesting journals and articles from a number of authors. The content being related to the collection, interpretation and understanding of threat intelligence, and how that can be translated into business risk information.

This week I have completed reviewing all 12 articles for Assignment Item 3, and am now reviewing my mind maps from each articles to form my summary narrative for each one.

With the extension granted to get this assessment item completed by May 10th, I believe I am in a good position to have this completed by mid-week so I can move into Assignment Item 4.

Week 6 – Progress Report

We are into the second week of the Easter break, and with a small lull in work requirements, I have been able to look into some more techniques and articles pertaining to Threat Intelligence feeds, and I have identified some correlation points which will work well into Risk Management Methodologies.

I have also identified some performance issues with the external infrastructure which is being used to capture all of this data. Namely, there appears to be very consistent high RAM utilisation which I may need to address, otherwise there could be further issues.

Current performance usage of the remote infrastructure capturing malicious events.

Looking into the infrastructure, it appears just the ability to capture and index the events as they come through, and the indexing already occurring within the infrastructure is taking a great deal of the system resources.

From an overall view, there appears to be nothing untoward or unexpected, it may just be that all of these appliances are working perfectly, but where normally a malicious request would presumably be blocked, in these cases we are indexing them for analysis.

Virtual machine host performance whilst collecting malicious events.
DMZ tagged appliances are externally accessible
TELE tagged appliances are located within a private vSwitch

Week 5 – Progress Report

I have identified a handful of useful scholarly articles which will be likely candidates for inclusion into my research, and I have identified which elements of the NIST Cyber security Framework I will be addressing. Why NIST? Strangely within Australia most of our cyber security frameworks and legislation seems to follow NIST in a strange tangent, whilst also being something written for the Australian context.

The honeypots are now reporting again following a redeployment of the Elasticsearch index cluster (which did result in data loss), and a reconfiguration of the honeypots based on some very good advice from the malware research community.

All honeypots are now effectively maintaining their resources, culling old logs which have already been captured, and the Elasticsearch cluster is operating in high-availability mode to capture security events and incidents.

Security Events and Incidents captured by Honeypot sensors (1 – 5 April 2020)

Due to some offsite data processing limitations I will be augmenting my home based lab computing resources into processing some of this data, and providing some further enrichment data.

This week I will be deploying Malware Information Sharing Platform (MISP) and Minemeld to bring in public threat intelligence feeds for correlation and live data tagging. I will also be looking into the integration of OpenCTI, which is intended to provide visualisation of tagged and related data to visually represent how a security events particulars may be related to an externally reported attack.

Week 4 – Progress Report

This report has run a little late considering recent events, however I have been busy reading through books authored by reputable figures within the Risk Management and Incident Response field.

I have also redeployed infrastructure to capture attack events on my external honeypot network, with those events being ingested into a Security Information and Event Management (SIEM) platform.

Due to some space issues with storage, namely with the honeypots filling their disk space, I did lose over a week of security events. I have since adjusted the honeypots to automatically truncate their logs every 2nd hour (since all logs are remotely captured by the SIEM environment).
I have also identified a significant number of binaries which are being submitted to the honeypots which have been uploaded in an attempt to break into the box, these had not been considered previously, but will now be included for analysis within a sandbox environment (providing additional intelligence).

Over this next week I will be starting to construct the broad outline of the project outcomes, and then start drilling down into the NIST Cybersecurity Framework, where I suspect a great deal of the focus will be in the Protect and Detect phases.

Week 2: Progress Report

Milestone: Project topic has been determined. Blog has been deployed and configured. Research content being sourced.
Status: Complete

The project title was finalised, although an abstract has been devised based on the content available across the broad topic I was deliberately less specific as what sources of OSINT would be used.

The blog site has been built and deployed onto WordPress, I find its use very convenient whilst travelling and allows direct import of screenshots and images from clipboard.

Some preliminary research has been conducted, and some curated information sources have been located and negotiated to validate and enhance the research work.

A project timeline is still required to be developed, however with initial scoping for the topic already being underway, the project timeline should be more achievable.