Do current industry Threat Intelligence practices often leave you tired of chasing IoCs only to find previously remediated victim servers and terminated cloud instances, leaving you feeling unprepared to face the threat you've just been informed of?

What can hunting for Qakbot and other Threats Teach us about how we can improve our Cyber Threat Intelligence?

Some threats evolve so quickly that attacks on our environments precede the prerequisite intel and signatures to detect and prevent them. Our adversaries can leverage ephemeral or compromised infrastructure so effectively that by the time CTI contributors and vendors are able to aggregate, analyze, and decimate actionable intelligence, the adversaries have moved on. Botnets comprised of Internet of Things appliances, Enterprise Servers, and personal computing devices host services available for rent on eCriminal marketplaces. Networks such as these, automation, affiliate programs, and more Third-Party eCriminal services empower the adversaries we face today.

That doesn't mean Threat Intelligence Sharing is dead; however, perhaps the evolving practices of our adversary's toolset and their growing collaboration can be met with some adaptation of our own. Let's talk about how the Threat Hunting Discipline has enabled a new level in the ongoing evolution of Threat Information Sharing.

In this talk, we will examine some CTI-driven Threat Hunts for some elusive and dangerous threats while considering the lessons they have to teach us on our Threat Intelligence Sharing.