Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Making Intelligence Actionable SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Making Intelligence Actionable

As demonstrated in the recent iframe attacks, a lot of people knew that something was going on. The challenge is how to collect all of that information and present it in a way that the community finds useful.

The first step in making information useful is to identify your target audience. For today’s example our target audience is going to be system and network administrators (since this is for SANS, that makes a logical choice, but other potential target audiences would be IT management, or security researchers.)

Now that the audience it defined, it’s time to collect what questions they really need answered when there is an ongoing malware campaign. What do network and system administrators need to know?

  • How to block the attack—avoiding trouble is always preferred, and stopping the bleeding should be one of the early steps.
  • What the attack attempt looks like—malicious domains, IDS signatures, etc.
  • What it exploits—what vulnerability does it exploit? Is it a social-engineering attack?
  • What a successful attack looks like—for some environments, they may see hundreds of attack attempts, how do they know if they have hundreds of victims to clean up, or do they have hundreds of near-misses?
  • Is AV effective? If so, when was it effective?
  • Purpose of the attack—this is helpful for prioritizing the response
  • How to protect the browsing community from compromise
  • How to protect the server community from amplifying the attack

I hope to keep these questions in mind when writing up alerts for the Handler’s diary. Once I have Actionable as a repeatable process, I’ll work more on Timely.

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!