— DIY Threat Intelligence Platform Workshop
Quick recap. In this Cloud Security office hours meeting, Shawn welcomed participants to a safe discussion space before Stryker presented her DEF CON session on building a DIY threat intelligence platform, explaining that commercial platforms can cost up to half a million dollars annually while simpler solutions can be created using existing tools. The presentation covered how to select reputable information sources, find and organize RSS feeds from primary and secondary sources, and automate information collection and management using tools like Feedly and Zapier. Technical difficulties with camera functionality after an Apple update were experienced during the meeting, and there appeared to be some music or lyrical content related to cybersecurity themes shared at points during the session.
Show 6 discussion topics
Camera Issues After Apple Update
The meeting participants are experiencing technical difficulties with Shawn's camera not working after an Apple update, despite the peripheral being detected. During the meeting, there is a screen share displaying what appears to be song lyrics, with Shawn mentioning songs about crypto and A. commenting about timing the music properly. Jay suggests the camera issue might be related to a recent Apple update, while Alex confirms this is a common problem with updates affecting peripherals.
DIY Threat Intelligence Platform Workshop
Shawn welcomes everyone to Cloud Security office hours, emphasizing that it's a safe space for open discussion without anxiety or drama. Stryker begins presenting her DEF CON session about building a DIY threat intelligence platform, explaining how she accidentally created one before understanding what it was. She outlines the presentation structure, noting it was originally designed as a 4-hour workshop but condensed to 1 hour, and encourages questions and interruptions throughout.
Threat Intelligence Platform Implementation Essentials
Alex explains that CTI at Geico processes external threat indicators and intelligence to inform stakeholders and threat hunters. He describes threat intelligence platforms as systems that organize information about threats in a contextualized way for organizations, noting that commercial platforms can cost up to half a million dollars annually. Alex emphasizes that intelligence differs from raw information, requiring triage, contextualization, and repackaging to become actionable, and advises using familiar tools rather than specialized platforms when starting out. He recommends that before building a threat intelligence platform, one should define clear goals, identify the specific audience (people or tools), determine the desired actions resulting from the intelligence, and leverage existing tools and skills.
Building Effective Threat Intelligence Platforms
A. discusses how to build a threat intelligence platform (TIP) by selecting reputable sources, emphasizing the importance of primary sources over secondary ones for faster access to information. She shares her seed source list and explains that while it initially seems time-consuming, the process can be streamlined to about 15 minutes daily through automation and proper source selection. A. clarifies that her full-time job involves synthesizing threat intelligence for non-technical stakeholders, and she advises beginners to start with recent articles rather than trying to process everything ever published. When asked about Darknet forums, she suggests that for a basic TIP, relying on established researchers is sufficient rather than attempting to infiltrate these communities directly.
Finding Hidden RSS Feeds
A. explains how to find hidden RSS feeds on websites, particularly for primary sources like Microsoft's security blog, by inspecting page source code and searching for RSS or XML tags. She demonstrates techniques including using Google Alerts, examining URL structures, adding "/feed" to URLs, and checking robots.txt or sitemaps. A. recommends organizing feeds by primary sources (researchers and communities) versus secondary sources (media), and shares that she uses Feedly to manage her information feeds with specific organizational structures. She cautions against including comment feeds to avoid information overload and notes that Reddit communities like r/cybersecurity can be valuable sources for breaking security news.
Automating Threat Intelligence Collection
A. explains how to automate information collection and management for a minimum viable threat intelligence platform. She recommends using tools like Feedly for RSS feeds, which can integrate with Slack, and emphasizes the importance of capturing metadata (title, publication date, source) when storing information. A. discusses various automation options including Zapier and Shufflerio, storage solutions like Airtable, and distribution channels for sharing findings. She cautions against overreliance on generative AI for analysis, noting its limitations with hallucinations and inability to convert information into intelligence without human context.