Threat Report Roulette will not discuss normal (BAU) CTI actions, such as searching the logs for hits on the IOCs or entering the IOCs into a Threat Intelligence Platform (TIP) or other alerting platform. Instead, the participants will focus on pivoting, TTPs, and how they would take the contents in the Threat Report to the NEXT LEVEL! When the Panelists respond to the threat reports, they are operating under the assumption that they performed the preliminary analysis and deemed the threat report relevant to their environment. The purpose of this assumption is to decrease the amount of debate on whether or not something is relevant to get to the part of the analysis that involves extracting actionable takeaways.
Spin the Threat Report Roulette Wheel – Link
Moderator calls on Participant.
Participant is in the Hot Seat:
15 seconds to organize their thoughts.
1-5 minutes to share their thoughts on how they would get value out of the report.
3-5 minutes to share their insights as a group. Quick commentary that is short, sweet, rapid-fire, direct, and to the point!
Rinse & Repeat!
Check out our Github with links to the reports: https://github.com/ch33r10/DEFCON29-BTV-ThreatReportRoulette