Threat Feeds & IR

I have been doing a lot more Threat Analysis and Incident Response than Malware Analysis lately.  While it is not the focus of this blog, I thought I would post a couple of thoughts on both topics.

Threat Analysis:  The best threat feed is now Twitter.  There are a couple of users that I follow that pop up in a special feed.  I find my response time to emerging threats has been improved as a result. At the top of this list is Kimberly ‏@StopMalvertisin, SophosLabs ‏@SophosLabs, and 0xǝrror ‏@0xerror.  These seem to bring to light threats that I find myself responding to at the time or find I need to start paying attention to. If anyone has others that are good to follow for emerging threats, please add them to the comments.  (There is also a collection of other security professions to follow if you enjoy security humor.  I won’t call them out here as I am afraid that might be seen as offensive.)

Incident Response: Knowing how to write non-production code to parse data or automate tasks makes the job a lot easier.  Just like in Malware Analysis, being able to do some rudimentary code (things the coding purists would gasp at) can dramatically increase the efficiency of a response.  I still enjoy Java (yes I use Java), Autohotkey, and Bash Scripting as my go-to languages, but am slowly picking up Python and Ruby.  I rarely use any of the MS sharp languages or C/C++.  An important thing to learn about any applications you use, to collect or store data, is what the API looks like or what the data schema is.  This makes writing code to access the data or parse it a lot easier and more accurate.

And if anyone missed it, Alex Lanstein from FireEye had a good in SC Magazine.  I particularly enjoyed his quote: “…whether an attack is truly APT or simply a well-financed adversary, the infiltration and exfiltration techniques are nearly identical.”  Link:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>