Threat management: staying one step ahead
One of the keys to being successful at Cyber Threat Intelligence is having the right information sources. In military parlance this is known as a collection plan. The problem is that turning the never-ending stream of RSS feeds and emails into workable intelligence requires patience, context, and a historical understanding of the world we live in.
So when it comes to piecing together this particular puzzle, where do you start?
One of the most important sources I use, especially to vet implausible rumors, is the DHS Daily Open Source Infrastructure Report. Since senior folks in the US Government consume it, the stories and information contained are usually vetted and accurate. This report will also give you an appreciation of just how much of the US’s critical infrastructure is precariously balanced.
Unsurprisingly, some of the best cybercrime intel comes from the US Department of Justice. This source frequently provides the “Indictments” and “Memorandum in Law” for cybercriminal prosecution. As such, it’s an excellent source of information for understanding how Law Enforcement investigates and prosecutes cybercriminals. Meanwhile, for a European cybercrime perspective a good source of information is Europol’s press releases.
There are two other highly credible sources to look at, especially when it comes to trend analysis in cybercrime. SANS NewsBites is a high-level executive summary of the most important news articles that have been published on computer security during the past week.
However, probably the most widely known and comprehensive IT security publication is Information Week’s DarkReading. The staff reporters here cover every aspect of IT security and all of the articles are usually very credible.
Other publications worth following include Wired Threat Level, which is usually comprehensive and well written, Ars Technica, which is highly reliable, IT News’s Daily E-mail, and, a recent addition, The Verge. In this day and age it’s also critical to be watching The Guardian for the latest revelations from Edward Snowden’s purloined files.
Moving down the stack of information sources, you get to one of the more sites: the Full Disclosure Email List. This is not something for the faint hearted; it is chock-full of proof of concept(s), code and explicit vulnerability details from the top testing firms and minds in the world. The list is owned by Fyodor (aka Gordon Lyon), so enough said.
I strongly believe that geopolitical events shape the world of cyber security, and no other publication condenses this into a consumable format better than Israel’s Homeland Security Home. Everything, from the videos to the articles, is well produced and rivals some of the major news outlets in its depth of coverage. Israel has a heavy focus on counter cyber terrorism, so if you’re interested in cyber Jihad activity this is a good place to start digging.
Keeping a reasonable grip on RSS Feeds is always a challenge and I really liked the retired iGoogle customized home page. However, I have found a solid replacement in Ighome. My top RSS feeds include: SANS Internet Storm Center, ThreatPost, DeepLinks (The EFF’s RSS Feed), Epic.Org, Huffington Post, and all the major news agencies.
A handy Google feature that some folks don’t know about is Google’s Alert system. With this feature activated and the ability to export it as an RSS feed to a home page like Ighome, you have an automated Collection Plan backed by the world’s most powerful search engine.
So, if you want an idea about what may be coming down the network pipe at you there are a lot of sources of information to read and keep up to date with. One final piece of advice: always look at two or more sources of information on a given topic so you can gain some perspective on the issue.
Oh, and don’t even get me started on who to follow on twitter or what whitepapers to read – my inbox overfloweth.
Want to know more about security? Then check out the videos serious by our security lead, Ian Trump…