Summary
The SANS @ Night session Threat Intelligence: Neighborhood Watch for Your Networks & Why Baselining Matters, delivered by Matthew J. Harmon on July 20, 2016, explores how integrating crowdsourced Indicators of Compromise (IoCs) with rigorous network baselining practices equips defenders to spot, prioritize, and respond to threats before they escalate .
State of Cyber Security
First, Harmon frames the state of cybersecurity emphasizing that breaches are inevitable against motivated adversaries and introduces the fundamentals of threat intelligence. He walks through the CIAs 15 Axioms for Intelligence Analysts, defines IoC types (DNS hosts, IPs, URLs, file hashes), and outlines the CybOX, STIX, and TAXII standards for packaging and exchanging structured threat data. A real-world case study shows how to trace a Dyreza banking-trojan infection from anomalous traffic to phishing emails, package findings into a STIX header, and share via TAXII. Harmon then compares commercial and open-source intelligence feedsi ThreatConnect for expert-curated data and CriticalStack Intel for aggregated TSV-formatted IoCs demonstrating how organizations can leverage these resources for timely, actionable insight.
Baselining
Next, the presentation pivots to the critical role of baselining: defenders must know their normal network behavior to detect deviations. Harmon introduces key open-source tools Bro (for traffic analysis), PRADS (for asset discovery), SGUIL (for alert management), and LOKI (for IOC scanning)and shows how they integrate within the Security Onion distribution. He provides a do-it-yourself lab outline: install Security Onion, subscribe to CriticalStack feeds, configure Bro and YARA rules, and deploy a network tap for continuous monitoring. By combining structured threat intelligence with continuous baselining, organizations can proactively identify both emerging campaigns and internal anomalies, dramatically improving detection and response capabilities.