Week 2: Progress Report

Milestone: Project topic has been determined. Blog has been deployed and configured. Research content being sourced.
Status: Complete

The project title was finalised, although an abstract has been devised based on the content available across the broad topic I was deliberately less specific as what sources of OSINT would be used.

The blog site has been built and deployed onto WordPress, I find its use very convenient whilst travelling and allows direct import of screenshots and images from clipboard.

Some preliminary research has been conducted, and some curated information sources have been located and negotiated to validate and enhance the research work.

A project timeline is still required to be developed, however with initial scoping for the topic already being underway, the project timeline should be more achievable.

Building the Modern Honeypot Network Servers and Sensors

Now that a conceptual deployment model has been created, and the behaviour of attack data being collected and indexed has been decided I can start preparing the Modern Honeypot Network server for deployment onto external infrastructure.

The honeypots themselves will be installed as a follow-on activity after having successfully deployed the MHN server appliance.

Continue reading “Building the Modern Honeypot Network Servers and Sensors”

Collecting external attack data

A recent vulnerability disclosure affecting Microsoft Windows SMBv3 Compression (SMBGhost) has been described as the new Bluekeep wormable exploit. So for this reason I will be deployed honeypots to capture occurences of where scanning for exploitable systems are occuring, and then collecting this information in a Security Information and Event Management (SIEM) system.

Continue reading “Collecting external attack data”

Project Brief

Project Title

Open Source Intelligence: Harvesting and enrichment to inform organisations of their risk and threat profile.

Problem Domain:

With the rapid growth of cyber-enabled adversaries, and the reduced barrier for entry to acquire cyber-weapons online, organisations need to refine their efforts to concentrate on the threats which are most applicable to their industry and public profile. This information is not easily acquired or digested based on their disparate sources and formats.

How does an organisation discover, correlate, enrich and evaluate threats to their organisation? And how does knowing the threat vectors and risk profile change the organisation’s culture and decision making process?

Background:

In my day to day job, I am a Security Operations Manager (SOM), a role which I find both creative and very challenging at the same time. The scope of the work I am involved in covers most aspects of protecting the business from external attack, and the sometimes mundane aspect of evaluating spam and phishing emails and campaigns, through to evaluating supply chain risk introduced through projects being run through our organisation.

I am also an active Royal Australian Air Force reservist where I utilise my experience from my role as a SOM to assist my sponsoring squadron to develop their own policies, processes and knowledge to understand information security risk (in both the physical and digital realm).

The common thread in the two roles being, the evaluation of the environment and industry vertical the organisation is operating in, and evaluating external information sources to develop an intelligence program aimed at supporting the decision making of the organisation, in a manner which attempts to inform and mitigate against external threat vectors.

Project Aim

The aim of this project is to develop and deliver a paper with an associated detailed design and proof of concept virtualised environment which incorporates the knowledge gained.

The paper will describe the different types of data, and how with refinement and correlation it may be made more valuable to an organisation. It will also describe how this information may be interpreted to give an organisation an informed view of the potential threat vectors, and what threat actors are known to utilise those threat vectors.

The detailed design and proof of concept virtualised environment is aimed at validating the techniques and processes described within the paper, whilst also serving as a roadmap for future evolutions and expansions on the concept of OSINT collection and refinement.

Deliverables

  • Project Schedule with Key Tasks and Milestones
  • Weekly Status reports
  • Regular blog posts
  • Detailed Design Documentation for a virtualised environment
  • Seminar presentation
  • Research Paper

Resources

Resources which are estimated to be used within this project include:

  • Peer review papers, whitepapers, books and articles
  • Textbooks
  • Open Source Feeds for Precursors and Indicators of Compromise
  • Threat Intelligence feeds for Security Researchers
  • Private and Public Cloud hosted virtual infrastructure
  • Open Source Software
    • Malware Information Sharing Platform
    • Elasticsearch, Logstash and Kibana
    • Cuckoo Malware Sandbox
    • Python

Welcome and hello!

Welcome to my ITC571 project research blog, and I hope to see and hear from you all during the course of this subject.

A brief and quick introduction appears in order:

I am a Security Operations Manager for a medium / large organisation and it is my role to manage risk, compliance and inform the business on their current status in terms of threats and appropriateness of current controls.

Over the last several months I have begun an evolution of sorts where I have become quite interested in Open Source Intelligence, and how it could be applied to inform on Risk and Threat within an organisation (or even in everyday life).

So it seems quite apt that I would gear my research project toward something of this nature, utilising that natural interest and generating a body of research which has application beyond this capstone subject.

Feel free to reach out to me if you have any questions or queries – always happy to have a robust discussion.