This blog has bounced around for quite some time now. It is my sincere hope that it has found a permanent home here. Time, I guess, will tell. For those who have not read earlier versions of this a bit of explanation is in order. For those who have, there are a few changes that I hope you’ll appreciate.
The first Threat Hunter’s blog still exists and now is called “Threat Hunters – Deep Dive”. In that blog I will take topics covered here and get down in the technical weeds. When I am making a posting there I will give you a pointer here. This version is unique in that I will be looking at a number of sources of cyber threat intelligence and bringing you a sort of compendium with my own thoughts, experiences and comments relating to the topics at hand. This is not, however, a typical opinion column. I will try to offer you some meat to chew on around twice weekly but, depending upon what’s going on in the cyber underworld, of course, it may be more or less frequent.
So, how do I get my information? I have several tools, some of which are open source and some of which are not. My data comes from a variety of sources – open and closed – and for obvious reasons I cannot tell you specifically what those sources are here. The open sources generally are related to a filtered, correlated view of the media. I have access to about 200,000 sources on the internet and that includes over 200 specific hacking and hacktivists groups. I have sources within law enforcement that contribute to the overall picture as well as sources within some of the ISACs (Information Sharing and Analysis Centers).
Finally, I have access to a datastore of over 10 million cyber threat actors. This access is unique in that it is provided by boots in the street as opposed to scanning the media. These analysts are lurkers in the underground activities on the dark web. Obviously, this is closed source. I also have my own accesses to the hidden web. It is my habit to treat my information sources as confidential and I verify my findings with multiple sources. I also will tell you my level of confidence in the information I put here.
This is not a news blog. I will address emerging threats explicitly and some of those will not have hit the media yet. As to my commentary, it is the application of my over 50 years in the information security field to the data that are available to me. I have been a consultant, CISO and educator so my perspective is as varied as the issues I confront. I hope that this perspective will give you a bit of food for thought and that some, at least, is useful to you in your day-to-day cyber security tasks.
I have named this and its predecessors “Threat Hunter Blog”, not because I am the threat hunter, but because I, like many of you, am a threat hunter. We hunt down threats against our enterprises and, with a combination of skill, resources and luck, we find enough to help us prevent – or at least react appropriately to – cyber catastrophe. Perhaps this blog will add to your resources.
One last comment: As I said at the beginning, this is not an opinion column. Although I will offer opinions, they will be based upon hard facts that go way beyond the current stories in the media. However, I will not treat the “news of the day”. Generally, I don’t care much about that since it is far too filtered to be of use here. So you won’t see me commenting upon the latest actions of Congress relating to some cyber security bill. I will leave that to the pundits… they do that far better than I can (and care a lot more about it than I do). Any predictions you see here will be based upon a solid mathematical, technical, forensic or scientific analysis of the facts. In short, I will try my hardest not to send you off on wild goose chases down some rabbit hole that takes you nowhere.
What about your participation? You certainly are welcome to ring in on a particular posting with your comments, experience and, perhaps, debate. We all benefit from that and if you notice something in a posting or have some experience to share, you can bet that there are other readers who either have had the same experience – perhaps with a different outcome – or want to prepare so that they can avoid trouble.
So… until next time….
— Dr. S