Processing Intelligence Feeds with Open Source Software. Chris Horsley, SC Leung, Tomas Lima, L. Aaron Kaplan, Raphael Vinot. Overview. Current topics in automatic incident handling for CERTs IFAS HKCERT , IFAS and use-cases IHAP project ContactDB project Current R&D. IFAS.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Processing Intelligence Feeds with Open Source Software
Chris Horsley, SC Leung, Tomas Lima, L. Aaron Kaplan, Raphael Vinot
*Drill down right at the chart
Out of Box Feed Plugins
(4 publicly available)
Other developed Plugins
… more, and your own
IFAS and Use Cases
SC Leung, HKCERT
Add columns of
Number of phishings in “.AU” in each ASN by brand
Real-time situational awareness for CERT management
Public Situational Awarenesson Compromised Servers / PCs
(HTTP, DNS) via proxy
Interfaces to Monitors
Public analysis sys (VirusTotal, ThreatExpert)
Request to monitor
Private analysis sys
Incident handling automation project
What databases exist? What can we query?
Number based resource:IP addr, netblock, ASN
Name based resource:domain name, hostname
TI, FIRST, CERT.org DBs
IANA ccTLD list
Whois DB (RIPE, ARIN, ..)
Whois DB (registrant, registrar)
National CERT DB
National CERT for country
IRT object, abuse-c, ...