This is an audience participation talk, on going from having DFIR with no Threat Intelligence to building a basic threat intelligence program. The majority of the data needed to start a Threat Intelligence program is probably already being captured by the DFIR program, and this talk is about taking that data, putting context around it to make it information, and then make that into something actionable (intelligence). Attendees of this talk should be able to go back to the office after the conference and enhance their IR programs with Threat Intelligence. The presentation will show what Threat Intelligence is and how to collect the data from their own networks. The talk will cover why the majority Threat Intelligence shouldn't be paid for until later in the program, while discussing the few things that should be paid for at the start. In parts of the talk Attendees will help pick the data points to capture, and work through the Alternative Competing Hypotheses to figure out the most likely reason for the event / incident.

Chris has done Threat Intelligence analysis for two different Fortune 500 companies. At one of the companies, he worked on rebuilding the program from scratch. Chris has given include: using the Raspberry Pi to create a Wireless Intrusion Detection System, Human Trafficking, Campus Crime Mapping, Linux Hardening, countless presentations on Lockpicking. He has also taught a class on Software Defined Radio, and Linux system hardening. You can find him on twitter as rattis, and his blog posts on rattis.net.

Back to Circle City Con 2017 Videos list