Hello, welcome to the Friday, January 27th, 2017 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier today has an article about what happens if you over-automate and somewhat over-simplify your threat intelligence. Of course, we all want to make our threat

intelligence actionable, and one way we do this is that we feed it into an IDS, so we are

automatically creating IDS rules that will alert us if it sees something that showed up in our threat intelligence feed. Xavier

uses as an example MISP, which is an open source collector of various feeds and it can then

convert the data it collects into snort rules. Of course you have to be careful and that's

what Xavier's article is about, that you are

not creating tons of false positives, and that you're testing these rules carefully before

you deploy them on a live sensor.

One thing I would add to this article is that when you are collecting threat intelligence

feats from various sources,

keep some metrics as to how good these feeds are. Do they actually save your time? Do they actually

highlight the right event that you should be spending your time on? Or are they just

another source of alerts which really just makes your false

positive problem even worse than it was before. And Checkpoint is reporting that it found

ransomware for Android phones that made it into the Google Play Store. They're calling it the

Charger Ransomware.

It does disguise itself as an application that promises to extend your battery life

and does well what Ransomware does it, will encrypt files on your phone

and then charge you point to Bitcoins to get your files back, which is about $200 or so, I think, right now.

That is a little bit cheaper than most other ransomware, but the real story here,

the real problem is that this Malware made it into the official Google Play Store,

...