Monday, May 14, 2012

Threat Intelligence and APT Resources

This post is to share some of the resources I found interesting and useful recently. In addition I would like to thank my friends who interacted with me in the past and also work hard to fight cybercrime and Internet threats in general.

(in random order)

Thanks to Mila from contagio dump blog for linking to my blog from your APT page, which I also recommend reading. Also very useful is the list of browser exploit packs and all the great analysis of targeted attacks.

Thanks Keith for mentioning my tweets on your blog (Thanks for Sharing and Indicators) and for the great work in posting IOCs.

Thanks Kyle for mentions on your blog post Introduction to the Collective Intelligence Framework. I definitely recommend checking out CIF.

Thanks Mandiant for all your free tools (Redline, IOC-Finder etc.), great resources (M-unition blog, webinars) and interesting M-Trends reports.

Thanks Securosis for all the great free resources (Malware Analysis Quant etc.) and research papers published.

Thanks Command-Five for great research papers and C5 SIGMA free network analysis tool.
Command and Control in the Fifth Domain

Here are some blog posts about APT that I can recommend reading:

Eric Huber's blog post To APT or Not To APT?

Mike Cloppert's blog series on SANS computer forensics
Security Intelligence: Introduction (pt 1)
Security Intelligence: Introduction (pt 2)
Security Intelligence: Attacking the Kill Chain
Security Intelligence: Defining APT Campaigns

Update 2012-05-25: here are some more interesting papers that I enjoyed.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [PDF]

Detecting Targeted Malicious Email through Supervised Classification of Persistent Threat and Recipient Oriented Features (Dissertation by Rohan Mahesh Amin, 2011)

Crouching Tiger, Hidden Dragon, Stolen Data [PDF]

Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage [PR]

The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure


So how do you share your threat intelligence with others and how / where do you find it online?

I've been tweeting some indicators in the past and collected some of these tweets on storify "malware intelligence". I've also created IOCs for Ponmocup and other malware (Zeus, debugger persistence and more) and posted them on Mandiant's forums and ioc.forensicartifacts.com.

I will update this post eventually with new, more recent resources and infos available.

If you find this blog useful consider linking to it from your blog (what, you don't have one!? Why not?) or tweet about it.

If you know other useful blogs or resources not mentioned here (or on my recommended blogs list) please let me know.

Thanks for reading all the way to the end ;-)