Beer, Squirrels and other Vetting Patterns.

Beer, Squirrels and other Vetting Patterns.

Randomly start talking to people at a conference. Head out to a bar, have a few beers, decide to build a mailing list and take down a botnet together. Create professional life partnerships. One of the more successful patterns, because you believe you can do anything when you get a few beers in you. All other (successful) patterns usually have origins in this pattern, or something like this- could be a bar, could be a game night at a coffee house, beer helps, but isn't always required.

Drinking from the FireHose.

Drinking from the FireHose.

... and in less than 5min you're streaming all the public data from within CSIRTG (which- at the time of this writing is comprised mostly of various types of scanning activity from honeypots as well as odd-ball spam/phishing urls, email addresses, email attachment hashes, etc..).

There is also an example feed and correlation tool to help get you started, maybe even generate an idea or two.  The correlation tool looks at all the scanners coming across all the feeds in real-time and simply produces a correlated indicator when it finds an indicator created across 3 different users within a 24 hour period. Crazy simple, yet produces a highly suspect list of suspicious actors that can be confidently acted on in your security infrastructure.

Not sure if chat bot...

Not sure if chat bot...

...with chatbots, we can hyper-focus those contexts and interactions to generate a more meaningful experience. If we're in a chatroom, talking about an indicator- the subtly of a bot PM'ing us and suggesting "hey! i know about that- here are some links.." mid conversation can be quite useful. You obviously don't want the bot to be too spammy, but with the right combination of query-ability and common sense, it can be the subtle difference between finding that breach you've been hunting for- and not...

Exploding Woodchucks...

Exploding Woodchucks...

A buddy of mine and I were talking one day about businesses. Working with them, partnering with them, and more importantly .. starting them. There's a famous saying, "ideas are a dime a dozen, everyone's got one and none of them are of any value". Finally, after years of watching fad's come and go- I get it. Something like 90% of new businesses fail in the first few years, not because their ideas were bad, but because of three things- market timing, money and execution.

Deploying Threat Intelligence Platforms- in 10min or less.

Deploying Threat Intelligence Platforms- in 10min or less.

If you run an open-source project, you have no time to spend on testing deployments- so you AUTOMATE ALL THE THINGS, from testing to install, across as many platforms as you possibly can.. because if you give folks documentation, they will not read it, but if you give them an easybutton- they'll BASH THE HELL OUT OF IT. What you quickly figure out- is how many different ways they'll then want to bend, tweak and scale out your application. This leads to more questions, more answers, more time (did I mention you're not really making any money from this, it's all goodwill...  you learn a lot, but you also lose a lot of time with your family... depending on your situation, maybe good, maybe bad).

Mining BitCo^H^H^H^H^HSpam...

Mining BitCo^H^H^H^H^HSpam...

For anyone that's ever tried, there's no 'one way' to parse email, it's one of those long standing protocols that was developed during a different period of time, is extremely resilient, can carry just about anything, works across different encodings, systems and will do just about anything you want it to. The very thing that makes it so versatile- is the very thing that makes it extremely difficult to parse- well. Transporting email is easy, most of the headers and other implementation details in the RFC define that pretty well. It's what IN the messages that's important (and hard)....