Jake Williams Profile picture
Jul 16, 2018 6 tweets 2 min read Twitter logo Read on Twitter
Teaching @sansforensics Threat Intelligence at #SANSFire this week. At first break, I had a chance to talk to students. The number of orgs with threat intelligence "programs" where program requirements are a complete unknown is always astounding to me. 1/n
If you don't know your #CTI requirements, you can't possibly build a good program. You may think you know the "requirements" but at the end of the day, those are determined by stakeholders (e.g. the "customer" aka whoever is in charge of funding the program). 2/n
If you aren't focusing on their concerns, you don't have an intelligence program. At best, you have some analysts wagging the dog with some analysis of potentially irrelevant (to the organization) intelligence information. It's not a professional operation, it's amateur hour. 3/n
If you don't KNOW your requirements, go ask your management what they should be. In my experience, the answer usually starts with a "well, you know..." To which I usually reply "no, please tell me." This can take a while, most people don't really know what they want. 4/n
Once you get good requirements, tailor your collection to those requirements. If you have data feeds that don't help with those requirements, get rid of them. They're a distraction. More data is not better. Enrich data and identify intelligence and collection gaps. 5/n
Then ask for feedback for your intelligence reports. This is just as important as getting requirements in the first place. You may write a report that looks freaking awesome to you, but is worthless to the stakeholder. Acting on feedback eliminates this disconnect. 6/6

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

Sep 20, 2018
This has huge privacy implications, but as a data nerd, I'm excited to see it. As a hacker, I'm also excited. First, the hacker side: this will immediately create a market for device hacking (and forensics, $$$$) on an unprecedented scale. 1/n
If you can save $250/year on your policy by appearing to be active, but really are providing bunk data through a $50 app? Yeah, people will do that. Then when they die weighing in at 350 pounds but claiming to have run a marathon a week the last year? Forensics $$$. 2/n
But from a privacy perspective I'm horrified. It's a virtual certainty that this data will be breached at some point. It's already been shown how fitness tracker data, when de-anonymized, can create security issues (e.g. using fitness tracker information to map a SCIF). 3/n
Read 7 tweets
Sep 15, 2018
This is drawing a lot of ire from the infosec crowd because there's no obvious causality. We SHOULD be careful not to assign causality where there is none. But this data IS valuable and we shouldn't dismiss it because it lacks a causal link. 1/n
The study authors note that the biggest problem with this sort of study is the sample size is small. There simply are not that many publicly traded companies that have suffered significant breaches available to study. There are also many factors, making causality difficult. 2/n
Some interesting takeaways: Stock price goes down immediately after a breach, but recovers quickly after. This doesn't surprise me at all. @RenditionSec works a lot of breach cases and this tracks with our experience in privately held companies. 3/n
Read 9 tweets
Sep 8, 2018
I've had a number of people note that the Nuremberg Trials counter my argument that Park following lawful orders is a consideration in evaluating his actions. Let's talk about this, because I think it's wrong (for multiple reasons). 1/n
First, to use Nuremberg as a reference point, we are equivocating hacking Sony with the Holocaust. I'm not ready to go there. Some people are saying "but if he hacked the power grid, that would be equivalent." Irrelevant, since that's not what happened here. 2/n
I don't think nation state hacking of Sony should meet the definition of a war crime. I do think hacking can be. For instance, hacking a hospital and changing dosages of medication to kill patients would probably be a war crime. 3/n
Read 8 tweets
Sep 6, 2018
Charging individual North Korean government hackers as individuals is a human rights issue. Assuming the intrusions have been correctly attributed to Park (not a given), unlike me, he likely had zero choice in his actions. This is not okay. 1/n
People living in North Korea don't get a choice when the government comes calling. There are countless stories of atrocities where whole families are imprisoned (or worse) for defying the orders of the government. We know what would have happened if Park refused to hack Sony. 2/n
Park's only crime is his talent. Because he was selected to be educated in Computer Science (probably based on aptitude), his trajectory was set. Now that he faces indictment, his trajectory is likely set too. Park will never be turned over to the US for trial. 3/n
Read 8 tweets
Sep 1, 2018
Last year, my kid interviewed me about my job for a school project. One of the questions was "what's the most important trait for someone thinking of going into your field?" I said "natural curiosity." On reflection, I think I was wrong. 1/n
If she asked me again, I'd tell her curiosity is important. But much more important than that is "A commitment to lifelong learning, even when the subject bores the heck out of you." I've heard many talk of the need for constant learning (I do regularly myself). 2/n
What I don't think I've ever heard (or said) is "most of the stuff I learn for my job I have to choke down and I hate every second of it." Commitment to lifelong learning is easy if it's stuff you actually want to learn. I'll note that a lot of infosec isn't. 3/n
Read 7 tweets
Aug 31, 2018
Just had some fun at the office. An esx server had an issue earlier today and crashed. Admin brought everything back up and powered on all the VMs. Everything looked good. I went to use a VM and can't get to it. Can't ping it. Nmap to it and something's there. 1/n
Problem is that it's not the right something. I ask our admin and he checks the VM from the ESX server console. He says "it shows a duplicate IP." This is a problem because it's a static assignment - so what has my IP?! 2/n
Also, I hear someone in the SOC say "oh <expletive deleted>! Guys, we've got a problem!" They saw the nmap scan and alerted on it immediately. It looked super sketch because of how I did it. Bottom line, I'm happy I have our SOC for our customers AND watching us. 3/n
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!