Fauie Technology

eclectic blogging, technology and hobby farming

Month: February 2017

Good Intel Is Hard

“Good Intel Is Hard”

– Perch SOC Lead, Patrick S

Today, Patrick and I were discussing some intelligence that we’re sensing on.  This intel comes straight from a private intelligence source, that’s supposed to have highly accurate, and targeted intel.   Our focus is on private sharing communities, e.g. ISACs, ISAOs, etc.    In our experience, these sources of intel are supposed to be highly relevant and vetted, to make sure members of said communities are watching our for the most significant threats to their industry or community.

Contrast that to a threat feed like the open source Emerging Threats data.   It’s excellent data that everyone needs to be detecting against.  It’s just not specialized.   It’s valid data , that’s publicly available, and you should detect on it.   ( ( I’m trying to be super clear here, I’m not knocking ET at all…  use ET data.. pay for ET Pro, you need it, but, it’s table stakes, and getting the data from that source is key ) )

There are  few issues in the state of cyber intel that I see so far:

  1. Even targeted, industry specific intelligence ingests ‘other’ intel.  Thereby making it not very targeted.   (  One Stop Shop for Intel vs Highly Focused and Relevant)
  2. Intel is shared before it’s vetted leading to a lot of garbage (BUT I tend to prefer this, compared to ….)
  3. Intel is researched, and vetted, and analyzed before it’s shared, slowing down the release of information

TIPs and Private Communities

TIP  = Threat Intelligence Platform ..   a content management system that specializes in the creation, collaboration, ingest and export of cybersecurity intelligence data in standardized formats, for human and machine consumption.

ISACs (Intelligence Sharing and Analysis Center) and ISAOs (Intelligence Sharing and Analysis Organization) offer communities a fantastic resource, when they’re run well.  They provide a common center for analysis , research, communication with other groups (FBI/DOJ, 3 letter agencies, etc), and are chartered to disseminate intelligence with its members.   The issue that I’m currently running into during the automation of intelligence to detection, is that these highly focused groups, are ingesting data from other organizations or intelligence sources.  They’re ingesting some commercial and public feeds.   This dilutes their value, in my opinion.  Any tool that’s worth it’s salt (what a weird saying) already pulls in open source intelligence and even popular closed source intelligence.   Continue to add value by focusing and sharing highly relevant data.

Vetting of data

There’s a balance between sitting on data too long, and being paralyzed by analysis, vs sharing data too early that’s wrong.  I’d lean toward sharing too early, than too late though.   It’s very easy to tell if comet.yahoo[.]com, is a False Positive.  I don’t mind an analyst taking 5 minutes to figure that out.  I tend towards that compared to holding valuable intelligence too long “just to make sure it’s super bad”.  By then, my systems may be “super dead” (to quote A. Hamilton, or at least the musical, Hamilton)

If you’re pretty sure it’s bad, push it out.  Let the boots on the ground figure out for sure.  Worst case scenario, we take 5-10 minutes investigating alerts because of it.  Best case scenario, I alerted to some outbound traffic to a new C&C infrastructure, and was able to squash it REALLY quickly.




Quick Heimdall Data Install

Anyone played with Heimdall data’s software?  I was introduced a few weeks ago.  They’re a super early startup (love!) with a pretty cool technology.

The feature that I really latched onto was the invisible cacheing.  The first time I talked about a write-through cache was with nPulse tech, when dealing with some of the indexing we did, and there wasn’t really any easy technology to use..  typically its (pseudocode, python ish):

def my_function_by_id( id ):  
    out_object = check_redis_cache(id)
    if not out_object:
        out_object = db.execute("select * from my_table where id = %s", ( id, ))
        set_redis_cache(id, out_object)
    return out_object


What happens when you switch cache services.   Go from Redis (simple) to Hazelcast (complex)?

Wouldn’t it be better to just:

def my_function_by_id( id ):  

    out_object =  db.execute("select * from my_table where id = %s", ( id, ))

    return out_object

Yes, that didn’t save that much code.. but, how many places in your code do you interact with your database?

Enter in the Heimdall data system.      I can write my code, connect to their proxy (since I love python, I’ll use the proxy, but they DO have a JDBC driver.. update your config and you’re off to the races)

The software identifies my SQL statements, extracts patterns, extracts parameters, and automatically sets up the cache.

Let’s follow instructions from here:


Alright, let’s start from a fresh Centos 7 virtual machine

sudo su -
bash <(curl -s http://download.heimdalldata.com/downloads/serverinstall.sh)

Then, grabbed the service file from here:  https://rayed.com/wordpress/?p=1496

Put the file contents in /etc/rc.d/init.d/supervisord

chmod +x  /etc/rc.d/init.d/supervisord

sudo chkconfig --add supervisord

sudo chkconfig supervisord on

echo "SELINUX=permissive" > /etc/selinux/config

firewall-cmd --zone=public --add-port=8087/tcp --permanent

shutdown -r now  #Yeah, hack that SE Linux out of here

I had a little issue running the proxy on my VM, when it booted, it preferred, and only listened in the IPV6 addresses.  Quick fix to /etc/supervisor/conf.d/heimdallserver.conf


command=java -server  -jar /opt/heimdall/heimdallserver.jar


command=java -server -Djava.net.preferIPv4Stack=true  -jar /opt/heimdall/heimdallserver.jar

Reloaded supervisord

sudo service supervisord restart

waited a few minutes… tried my web browser and there it is!

Stay tuned.  In the near future, I’ll do a video walk through of these, and at least two more overall videos.

This is a good start for me to practice some on screen time.   More on that to come!  I can’t wait to share the big news.. you’ll hear LOTS more of me.




© 2023 Fauie Technology

Theme by Anders NorenUp ↑