Issue #7 - March 2023
Welcome to issue seven. Now that this newsletter has really hit its stride, I’d like to expand from this monthly roundup format to include other kinds of content on a regular cadence. I’ve started work on a Sources & Methods website and blog where I can post original analysis and gists of new reports to save you time. Stay tuned!
Thanks for reading,
Matthew Conway (@mattreduce)
📁 Sources
GH Archive - If you need to review activity on GitHub.com as part of investigations or incident response, add GH Archive to your toolkit. It provides an archive of events on GitHub as gzipped JSON data. You can download an hour’s worth of events if you know exactly when to look, or years of data since 2011 for an offline archive you can sift through later. The service itself is open source.
📰 Articles
Robert M. Lee - Structuring Cyber Threat Intelligence Assessments: Musings and Recommendations #production #tradecraft
Sysdig - SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft #cloud #containers #analysis
UK Home Office - National Protective Security Authority begins work #gov #partnerships #espionage
Andy Piazza - Goldilocks CTI: Building a Program That’s Just Right #program
SentinelOne - SOC Team Essentials | How to Investigate and Track the 8220 Gang Cloud Threat #howto #cloud
Intelligence and National Security - Critical Intelligence Studies: A new framework for analysis #intelligence #longreads
🛠 Tools
decider
Self-hostable web application that walks you through a series of questions to map adversary activities to ATT&CK.
IOK
IOK (Indicator Of Kit) is an open source ruleset of phishing threat actor tools and tactics.
obsidian-osint-templates
github.com/WebBreacher/obsidian-osint-templates
These Obsidian templates for OSINT collectors leverage the tool’s excellent features for capturing and reviewing the output from investigations.
synapse-sinkdb
github.com/captainGeech42/synapse-sinkdb
If you use Vertex Synapse, this Power-Up can import data or enrich with SinkDB, a free (restricted-access) database of sinkholes.
pandance
The pandance Python package provides additional relational operations—fuzzy and theta joins—for working with pandas DataFrames.
💡 Tip
“Always think about the data on which your analysis is based. Think about the data you had access to and, more importantly, the data you didn’t. Be as aware as possible of your biases.”
– @bongoknight via Mastodon
Well said! And thanks for sharing.
📆 Events
Botconf 2023
📍 Strasbourg, FR
📚 Training: Apr 11
📊 Conference: Apr 12–14
🏢 Hilton Strasbourg
🔗 https://www.botconf.eu
RISE Mexico 2023
Regional Internet Security Event co-hosted by LACNIC and Team Cymru
📍 Merida, MX
📊 Conference May 10-11
🔗 https://www.team-cymru.com/rise-mexico
SLEUTHCON ‘23
Submit your talk proposal by March 31st! The conference will pay $500 for each full 30 minute talk.
📍 Arlington, VA, US & Virtual
📊 Conference May 12
🏢 Hilton National Landing
🔗 CFP: https://www.sleuthcon.com/cfp
🔗 Event: https://www.sleuthcon.com
USENIX Security ‘23
📍 Anaheim, CA, US
📊 Conference Aug 9–11
🏢 Anaheim Marriott
🔗 https://www.usenix.org/conference/usenixsecurity23