Internet threats: The big picture part 0

I’ve recently had the fortune to get involved in a really big threat investigation project. I’d like to share with you guys stuff I have been learning and the lab scenarios that I would like to develop in the cloud. Here are my ideas and I’m open to suggestions and proper discussion.
Disclaimer: I’m not an English major, as long most of the words are in the right order and right place… let’s be happy.
The part 0 is to collect as much information as possible and proceed with the initial plan of developing a big-picture threat analyst scenario from collecting IOCs, setting-up a SIEM, setting-up a honeypot, automating information gathering and building up the infrastructure in the cloud. As I’m going through this process, I hope to learn more about threat investigations and if there are other projects involved.
So, without further ado, let’s dive in. This is more or less what I’m planning to build during the next blog posts:
- Honeypot setup
- SIEM setup
- Automation
- Sandbox
- MISP configuration
- IOC collection, standardization, and distribution
I know, this is a hard task and maybe even highly ambitious, so I reached out to the Blue team community and asked them for help. This is what we came up with :
https://github.com/paralax/awesome-honeypots
https://github.com/caesar0301/awesome-pcaptools
https://github.com/rshipp/awesome-malware-analysis
https://oasis-open.github.io/cti-documentation/stix/intro
For the next few months, I will be testing the above products and trying to get everything going. The main purpose is to create an infrastructure where a threat analyst can check out the most recent attack signatures and malware, isolate IOCs and collect them into a standard format, and ultimately give them to a platform that will distribute found IOCs to other endpoints protecting software or network protecting devices. Because the Endgame is to protect the users from malicious actors.
If anyone wants to take part in this journey, you can comment under this post.
Spoiler alert:
The next articles will be more technical and we will have the chance to get our hands dirty.
