Most people are already familiar with Evernote. It’s easy to just throw all our miscellaneous data into the Elephant and effortlessly find it later with a quick search or correlate similar ideas with tags. Evernote is literally our external brain that increases our intelligence and helps us become more productive overall. This presentation discusses an experiment of using Evernote as a defensive management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered will include the advantages of using an open and flexible platform that can be molded into an open/closed source threat intelligence database, an information sharing platform, and an incident case management system. Although using Evernote in this way in large enterprises is probably not possible, the same lessons learned can be applied to implement a similarly effective system using internally-hosted open source or commercial software.
2. Disclaimer
• Opinions expressed do not express the views
or opinions of my
– my employers
– my customers,
– my wife,
– my kids,
– my parents
– my in-laws
– my high school girlfriend from Canada
Defending the Enterprise with Evernote NovaInfosec.com@grecs,
6. NovaInfosec Consulting
• 20 Years Industry/Infosec
Experience
• Security Engineering/
Architecture
• SOC 2.0/Transformation
• Security Training
datamation.com/cnews/article.php/3851071/Tech-Comics-Cloud-Computing-Consultants.htm
7. Defending the Enterprise with Evernote NovaInfosec.com@grecs,
PREMISE
Over Engineering
Build (at least try to) Before Buy
8. Premise
Over Engineering
• Tendency to Over
Complicate
• Keep It Simple Stupid
• What Can We Do Quick &
Dirty that Will Get Us 60-
70% of the Way There?
• Onboarding Workflow
System Example
Solution Fine As Is
Est. Requs. to Develop Eventual Solution
9. Premise
Build (at least try to) Before Buy
• Before Buying New Commercial Solution
– Try Quick & Dirty Solution In-House First
• Use Tools Already Have & All Familiar With
• Setup Good Set of Processes Since Lacks Safety Checks
• Have Smart People Actually Use Solution for 6-12 Mos.
• Continually Evolve Processes with Lessons Learned
– Maybe that Will Solve Your Needs
– Else Understand What Really Need Commercial
• Invest in People & Process 1st, then Products
• Case In Point: Threat Intel Services
10. Defending the Enterprise with Evernote NovaInfosec.com@grecs,
BEGINNINGS
Dashboard 1.0
Dashboard 2.0
Dashboard 3.0
Take-Aways
11. Beginnings
Dashboard 1.0
• SOC Security Engineer Position Many Years Ago
Working to Create Dashboards
• Wanted to Measure What Risk Was
• Made Sense to Use Traditional Risk Equation
– Risk = Threat X Vulnerability (impact too)
– Had Vulnerability Data Based on Patch & Other Tools
– Threat? Decided to Use Vendor Threat Levels (e.g.,
SANS INFOCON, Symantec – normalize and average)
12. Beginnings
Dashboard 2.0
• Moved On as Analyst & Wanted to Keep Up
• Had Email Folder for Internal SOC Distros where
Analysts Post New & Updated Incidents
– Nothing from Outside (e.g., RSS feeds, external SOC
distros, …)
• Prior Dashboard Research Looked Like Good
Place to Start
• Build Own “Risk” tab on iGoogle via Various RSS
Feeds
• Included Internet Provided Vulnerability & Risk
Resources as Well
14. Beginnings
Dashboard 3.0
• Had Since Moved
from Feedly to
Netvibes for Since
Designed Ground
Up as Dashboard
• Added “Cyber
Intel” Tab with
Sources Still
Active from Feedly
15. Beginnings
Dashboarding Take-Aways
• Nice for “Blog” Post Feeds
• Tough to Follow for Data-Driven Feeds
– Changing Too Fast
– Feedly Pro
– NetVibes VIP
• Keep All Feed Data & Searchable
• Expensive for One-Off Analyst Resource
• Introduce Concept of One “Bucket” to Dump All Into
• Doesn’t Work for Periodically Updated Data Files
16. Defending the Enterprise with Evernote NovaInfosec.com@grecs,
PIVOT
Meanwhile…
Rebaseline
The Secret Weapon
Ah Ha
17. Pivot
Meanwhile…
• Threat Intel Market Growing
– Investigating Threat Intel
– Consulted Experts & Users of Threat Intel Services
• Basic Take-Aways
– Fascinating Area with Lots of Cool Things Mathematically
Correlated Together in Some Fancy Big Data Model
– Not Much Value Beyond Open Source Resources
– A Lot of Data Not Relevant to Organization
• Dashboard
– Was onto Something
– Pulling all Open Source Info Together
18. Pivot
Rebaseline
• NetVibes VIP but Cheaper & More Flexible
• Bucket to Dump All Data Into
– Blog/Other Feeds
– Data-Driven Feeds
– Data Files
– Other (anything else find – e.g., APT reports)
• Easily Find Data
– Searchable
– Categories
– Tagging for Viewing in Different Ways
• Cloud-Based So Wouldn’t Have to Maintain & Accessible
Everywhere
– Email Folder (like in old days but too kludgy)
– Log/Data Aggregation Tools
19. Pivot
The Secret Weapon
• Method for Using Evernote as GTD-Based Task
Mgmt System
– Treat Evernote Like a Database
– Notebook == Table
– Note == Free Form Record
• Organization
– Nested Notebooks
– Hierarchical Tagging (provide metadata structure)
• When (importance – e.g., 0-6)
• What (projects – e.g., SourceBoston, OSINT DB)
• Where (e.g., home, work, etc.)
• Who (e.g., people that action has to do with)
• Combination Above
• Search
– ~ Notebook, Tag, Keyword, or Combination Thereof
– Saved Searches
20. Pivot
Ah Ha
• Dump All Feeds/Data into Evernote Bucket
• Defined Notebooks & Hierarchical Tags for
Metadata (owner, feed, indicator type, etc.)
• Easy to Use Over Heavy Database or Workflow
Management System
• Perfect Open & Flexible Framework to Build
Off Of
• Start Dumping Everything Into
– Email to Evernote, IFTTT, Zapier, Bash Scripts, etc.
21. Defending the Enterprise with Evernote NovaInfosec.com@grecs,
THREE SOURCES OF THREAT INTEL
Open Source Intelligence
Information Sharing
Case Management
Existing Solutions
22. Three Sources of Threat Intel
Open Source Intelligence
• Boils Down to
– Indictors (e.g., IPs, Domains , URLs, Hashes, Email Addresses, … )
– Reports (e.g., vendor dossiers on threat TTPs)
• Historically Lots of Open Source Resources
– MalwareDomainList
– Zeus Tracker
– SSL Blacklist
– …
• Don’t Forget Social Networks (e.g., certain people/resources on
Twitter)
• Mix in Organizational Data as Well to Enrich (e.g., honeypots)
• Big Need
– Centralized Database to Record All this Information
– Mmm? Perhaps a Shared Evernote Notebook Using Tags to Track?
23. Three Sources of Threat Intel
Intel Sharing
• Groups
– ISACs (FS-ISAC, MS-ISAC, DIB-ISAC, …)
– DIB
– Infragard
• Historically
– Email List
– Bulletin Boards
• Big Need
– Centralized Database to Record All this Information
– Mmm? Perhaps a Shared Evernote Notebook Using
Tags to Track?
24. Three Sources of Threat Intel
Case Management
• Pretty Simple with Many Workflow Systems Out There
– Open New Case
– Work It Periodically Adding Comments of What Done
– Eventually Gets Closed
• Many Existing Solutions
– Remedy
– RT
– SharePoint
• Big Need
– Centralized Database to Record All this Information
– Mmm? Perhaps an Evernote Notebook using Tags to Track?
25. Three Sources of Threat Intel
Existing Solutions
• Open Source Intelligence
– Open Source: CRITS, CIF
– Vendors Incorporating into Products
• Intel Sharing
– Email Lists, Bulletin Boards
– Starting to Distribute in Standardized Format (TAXII, STIX)
• Case Management
– Open Source: RT, eTicket, Help Desk Lite, …
– Commercial: Remedy, SharePoint
• All-In-One
– ThreatConnect (free to join; in cloud and on-premisis)
• Overall
– Lots of Point Solutions But Not Flexible
– Ease of Use (CEO down to analyst)
– Centralized Database to Record All this Information
26. Evernote OSINT, Intel Sharing, Case
Mgmt Database
• Very Easy-to-Use
• Very Elegant
• Very Flexible
• OSINT DB for Searching and Pivoting Around On
• OSINT: Find Something Interesting; Just Clip It into Evernote
• Intel Sharing: Find Something Interesting Going on in Your Network
& Want to Share, Just Create New Note in Shared Notebook
• Case Management: Establish Note Template with Standard Tags for
if Open, Working, Closed
• Create New Meta-Notes that Pull Together Existing Notes (e.g.,
several OSINT notes, intel from partner network, and cases
assigned)
• Tagging: Adversaries, Campaigns, Waves, Individual
Attacks, Indicators, OSINT Source, …
27. EN Search
• This is How You Will Find All the Awesomeness
You Threw into Evernote
• Tags
• Basic Search
• Advanced Search (specific notebooks, tags,
terms, dates, boolean support)
• Example: Search for IP & Find Note; Run
Secondary Search Around that Timeline to
Discovery Similar Happenings
28. Automation
• IFTTT/Zapier to Get Basic RSS Feeds into EN
– Easily to Implement
– Limit of Only Getting Partial Data (useful data not in title/intro)
• IFTTT/Zapier with Email Integration to Get Data into EN
– Helps Some if Offer Mailing List with Full Data
• Write Own RSS Site Scraper
FiveFilter to Extract Full RSS Post Content
• Also Open Source Implementations of IFTTT Too
• Spin up AWS Server & Cron Scripts that Periodically Pulls
Down Intel Files & Inserts into Evernote
• CIF Feeds
31. Future
• More OSINT Resources
– Deconflict Sites with Multiple Feeds & Add if Needed
– File Base Pulls (script / replace existing RSS)
– Vendor APT Reports
(https://github.com/kbandla/APTnotes)
– General News Blogs to Track What’s Going On Around
Specific Time Period
• Start with a finding from search then back out to see what
was going on the week before or after
– Integration with CIF to Centralize/Tag Data
• Formalize Tag Structures
32. Conclusion
• Lots of Point Solutions but None Bring
Together Like Good ‘ol Evernote
• Start with Evernote to “Figure Stuff Out"
• In End Figure Out What Your Requirements
Are & Buy/Implement More Custom Solution