Summary

The SANS @ Night session Threat Intelligence: Neighborhood Watch for Your Networks by Matthew J. Harmon introduces the concept of crowdsourced cyber threat intelligence as a critical component of modern defense. Harmon defines threat intelligence as the collection of Indicators of Compromise, DNS hosts, IP addresses, email addresses, URLs, and file hashesi, enriched with contextual information about campaigns, tactics, techniques, and procedures (TTPs) to produce actionable insights. He stresses that confidence in data varies from unvetted open-source feeds to expert-curated platforms and that standardized formats like CybOX for observables, STIX for structured information, and TAXII for automated exchange enable seamless sharing across organizational boundaries.

Through a step-by-step case study, Harmon demonstrates how to apply these standards in practice: identifying excessive traffic on a server, back-tracing it to a phishing email with a malicious ZIP attachment, extracting MD5 hashes and C2 IPs, and packaging them into a STIX header with appropriate Course of Action blocks. He then compares two data-sharing solutions: ThreatConnect, which offers high-confidence, expert-vetted intelligence via CybOX/STIX/TAXII; and CriticalStack Intel, which aggregates over a hundred open-source IoC feeds in simple tab-separated values for rapid integration with Bro (the network analysis framework). To reinforce the concepts, Harmon outlines a hands-on lab deploying Bro or Security Onion, subscribing to Intel feeds, and using bro-cut to validate detectionsunderscoring the power of a community-driven neighborhood watch to elevate collective security posture.

Presentation

Threat Intelligence: Neighborhood Watch for your Networks Threat Intelligence: Neighborhood Watch for your Networks, Script