Sources & Methods Newsletter #20 - November 2024

📁 Sources

OSSF Malicious Package Registry - the Securing Critical Projects Working Group of the Open Source Security Foundation (OpenSSF) maintains a collection of reports of malicious packages identified in open source repositories in Open Source Vulnerability (OSV) format.

📰 Information

Sophos - Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats #PRC #strategic

CMU - Leveraging Threat Intelligence to Support Resilience, Risk, and Project Management #crossdiscipline

US CISA - People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action #PRC

Red Canary - A Defender's Guide to Crypters and Loaders #malware #crypters #loaders

Unit 42 - Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors #malware #macOS #Linux

Vertex Project - Merging Threat Clusters #tooling #howto

Jason Atwell - Using Language Models as an Analytical Writing Partner #LLMs #HumanAITeaming

Cisco Talos - Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs #ransomware #operational

Anton Chuvakin - Threat-informed Defense Is Hard, So We Are Still Not Doing It! #program #integration

🛠 Tools

CTI Chef

ctichef.com

CTI Chef is an online tool for visualizing STIX Objects and Relationships using an open source library I've previously shared, stixview.

Insider Threat Matrix

insiderthreatmatrix.org

Here's a taxonomy in the spirit of MITRE ATT&CK and others for modeling the activities of insider threats. If you've had a hard time expressing insider threat behaviors in ATT&CK terms or would like a boost in building your mental model of insider threat TTPs, check this out.

synapse-validin

github.com/EXC3L-ONE/synapse-validin

Enrich IPv4 and FQDN nodes in Vertex Synapse with Validin using this Power Up.

notion-stix

github.com/brittonhayes/notion-stix

This self-hostable service allows you to seamlessly integrate knowledge from STIX bundles into Notion, for folks who use it to collaborate with their team.

proof-value-cti

github.com/cudeso/proof-value-cti

A handy guide to proving the value of a CTI program, mapped to each level of intelligence. See anything missing? Pull Requests are welcome!

💡 Tip

Take a cue from designers and create threat intelligence “personas” for each of your stakeholders. Tailor the content, length, format, and frequency of your products for them based on their profiles. Don’t forget to ask for feedback and update these personas accordingly.

📆 Events

CYBERWARCON

📍 Arlington, VA, US and online
📆 November 22nd, 2024
🔗 https://www.cyberwarcon.com/

SANS CTI Summit

📍 Alexandria, VA, US and online
📆 January 27-28th, 2025
🔗 https://www.sans.org/cyber-security-training-events/cyber-threat-intelligence-summit-2025/