2 min read

Sources & Methods Newsletter #7 - March 2023

Welcome to issue seven. Now that this newsletter has really hit its stride, I'd like to expand from this monthly roundup format to include other kinds of content on a regular cadence. I've started work on a Sources & Methods website and blog where I can post original analysis and gists of new reports to save you time. Stay tuned!

Thanks for reading,

Matthew Conway (@mattreduce)

πŸ“ Sources

GH Archive - If you need to review activity on GitHub.com as part of investigations or incident response, add GH Archive to your toolkit. It provides an archive of events on GitHub as gzipped JSON data. You can download an hour's worth of events if you know exactly when to look, or years of data since 2011 for an offline archive you can sift through later. The service itself is open source.

πŸ“° Articles

Robert M. Lee - Structuring Cyber Threat Intelligence Assessments: Musings and Recommendations #production #tradecraft

Sysdig - SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft #cloud #containers #analysis

UK Home Office - National Protective Security Authority begins work #gov #partnerships #espionage

Andy Piazza - Goldilocks CTI: Building a Program That's Just Right #program

SentinelOne - SOC Team Essentials | How to Investigate and Track the 8220 Gang Cloud Threat #howto #cloud

Intelligence and National Security - Critical Intelligence Studies: A new framework for analysis #intelligence #longreads

πŸ›  Tools



Self-hostable web application that walks you through a series of questions to map adversary activities to ATT&CK.



IOK (Indicator Of Kit) is an open source ruleset of phishing threat actor tools and tactics.



These Obsidian templates for OSINT collectors leverage the tool's excellent features for capturing and reviewing the output from investigations.



If you use Vertex Synapse, this Power-Up can import data or enrich with SinkDB, a free (restricted-access) database of sinkholes.



The pandance Python package provides additional relational operationsβ€”fuzzy and theta joinsβ€”for working with pandas DataFrames.

πŸ’‘ Tip

"Always think about the data on which your analysis is based. Think about the data you had access to and, more importantly, the data you didn't. Be as aware as possible of your biases."

-- @bongoknight via Mastodon

Well said! And thanks for sharing.

πŸ“† Events

Botconf 2023

πŸ“ Strasbourg, FR
πŸ“š Training: Apr 11
πŸ“Š Conference: Apr 12–14
🏒 Hilton Strasbourg
πŸ”— https://www.botconf.eu

RISE Mexico 2023

Regional Internet Security Event co-hosted by LACNIC and Team Cymru

πŸ“ Merida, MX
πŸ“Š Conference May 10-11
πŸ”— https://www.team-cymru.com/rise-mexico


Submit your talk proposal by March 31st! The conference will pay $500 for each full 30 minute talk.

πŸ“ Arlington, VA, US & Virtual
πŸ“Š Conference May 12
🏒 Hilton National Landing
πŸ”— CFP: https://www.sleuthcon.com/cfp
πŸ”— Event: https://www.sleuthcon.com

USENIX Security '23

πŸ“ Anaheim, CA, US
πŸ“Š Conference Aug 9–11
🏒 Anaheim Marriott
πŸ”— https://www.usenix.org/conference/usenixsecurity23