“I thought all I had to do was show the data and people would understand. It doesn’t work. You have to tell a story” – Cliff Stoll.
Easier said than done, right? Being able to tell a compelling story that can answer key questions like: who is attacking us, what is their motivation, were they here before, how do they operate, what is the impact to our business, and will they come back, should be one of the ultimate goals of any effective blue team. However, being successful at embedding cyber threat intel in SecOps require something else: maintaining a solid understanding of the environment we are defending, as well as a systematic way to identify and prioritize applicable threats and assess impact, so we can respond appropriately to these attacks.
In this talk, Ismael Valenzuela, Certified SANS Instructor and GSE #132, will share lessons learned and practical tips on how blue teams can not only consume but also produce actionable and contextual threat intelligence using tools, processes, models and taxonomies that are available to the community.
Slides: