Internet threats: The big picture part 0

Daniele Perera
Nov 1 · 2 min read

I’ve recently had the fortune to get involved in a really big threat investigation project. I’d like to share with you guys stuff I have been learning and the lab scenarios that I would like to develop in the cloud. Here are my ideas and I’m open to suggestions and proper discussion.

Disclaimer: I’m not an English major, as long most of the words are in the right order and right place… let’s be happy.

The part 0 is to collect as much information as possible and proceed with the initial plan of developing a big-picture threat analyst scenario from collecting IOCs, setting-up a SIEM, setting-up a honeypot, automating information gathering and building up the infrastructure in the cloud. As I’m going through this process, I hope to learn more about threat investigations and if there are other projects involved.

So, without further ado, let’s dive in. This is more or less what I’m planning to build during the next blog posts:

  1. Honeypot setup
  2. SIEM setup
  3. Automation
  4. Sandbox
  5. MISP configuration
  6. IOC collection, standardization, and distribution

I know, this is a hard task and maybe even highly ambitious, so I reached out to the Blue team community and asked them for help. This is what we came up with :

https://github.com/paralax/awesome-honeypots

https://github.com/caesar0301/awesome-pcaptools

https://github.com/rshipp/awesome-malware-analysis

https://www.splunk.com/

https://oasis-open.github.io/cti-documentation/stix/intro

https://github.com/CheckPointSW/Cuckoo-AWS

https://github.com/MISP/MISP

https://github.com/OpenCTI-Platform/opencti

For the next few months, I will be testing the above products and trying to get everything going. The main purpose is to create an infrastructure where a threat analyst can check out the most recent attack signatures and malware, isolate IOCs and collect them into a standard format, and ultimately give them to a platform that will distribute found IOCs to other endpoints protecting software or network protecting devices. Because the Endgame is to protect the users from malicious actors.

If anyone wants to take part in this journey, you can comment under this post.

Spoiler alert:

The next articles will be more technical and we will have the chance to get our hands dirty.

Daniele Perera

Written by

I’m a student and a CTF player who is interested and strived in learning and managing telecommunication networks and their security.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade