TAPIOCA (TAPIOCA Automated Processing for IOC Analysis)

BSidesLV 2015

Presented by: Ryan J. Chapman, Moses Schwartz
Date: Wednesday August 05, 2015
Time: 11:00 - 11:55
Location: Florentine A
Track: Breaking Ground

These days, many security groups want to become "intel shops,” and threat intelligence is all the rage. An intel shop should ingest intel, analyze indicators, and pivot from correlated data. However, few understand how to begin the transition. How IS this accomplished? MAGIC, DAMNIT. Then again, if you’re not the slight of hand kind of guy or gal, we have an answer for you. Check behind your ear, and you’ll find a dollop of TAPIOCA! In this talk, we will present our process for analyzing Indicators of Compromise (IOCs) at scale, correlating information from multiple sources, and pivoting to obtain information from deep within the bowels of our global network. We’ll talk about the technical challenges we have addressed in applying automated analysis to terabytes of data every day. We will also discuss the next-steps for this analysis, including applying machine learning techniques to help further classify our data. We are also releasing our automated IOC vetting tool, TAPIOCA (TAPIOCA Automated Processing for IOC Analysis), to help other security groups begin processing and benefiting from threat intelligence.

Ryan J. Chapman

Ryan Chapman works as an incident response analyst for Bechtel Corporation. Ryan enjoys the challenge of handling incidents, reversing malware, and automating tasks for the security operations center. He also loves public speaking and has presented at BSidesSF, CactusCon, Splunk Live!, and at the University of Advancing Technology's Tech Forum. Ryan has an MS in Information Assurance and a BS in Computer Networking. He also holds the GREM, GCIH, LPIC­1, Linux+, Security+, and other certifications. Ryan has a fondness for retro gaming and plays plenty of Street Fighter.

Moses Schwartz

Moses Schwartz is a security researcher with experience in cyber incident response, vulnerability assessment, industrial control system and SCADA security, and supply chain risk management. He is currently a senior network security monitoring analyst on the cyber incident response team (CIRT) for Bechtel Corporation. He was previously a senior member of technical staff at Sandia National Laboratories, where he researched and developed new capabilities for defending critical infrastructure. He holds a B.S. and M.S. in Computer Science from the New Mexico Institute of Mining & Technology.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats