Hello, welcome to the Friday, July 24th, 2020 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

A couple updates from the Internet Storm Center.

First diary post that we have from Xavier.

Now, one of the tricky things with threat intelligence is

always, how do you make it actually actionable? And Xavier here has a little set of scripts that he's

using in order to export data from his MISP server to PFS sense in order to use it as a block list.

MISP is a rather popular open source threat intelligence platform and very good at sharing

information with others and importing, exporting of course, in various formats.

And that's kind of what Xavier is going for here to show you how to export this data to then

import it as a block list in PF sense.

Now, talking about threat intelligence, I have been experimenting with a new sort of data feed for our data

that essentially lists all IP addresses from which we have seen either significant activity

from the firewall lock shared with you or activity from our SSH sensors, web sensors, or any other third-party feeds that

we are collecting. So kind of a unified threat intel feed for all the data we have. It's not

very large because I try to limit it to sort of some of the more significant data we have. It's

definitely not a block list because, for example, one of the pieces significant data we have. It's definitely not a block list because, for example,

one of the pieces of data we collect is whether or not an IP

is being used as a name server for a top level domain,

which can also be useful to enrich your data.

And that's really how it's supposed to be used.

If you do have a seam or some system like this,

...