2024-07-03, 10:15–10:50 (Europe/Paris), Amphitheater
Yeti was initially created in 2017, when a very operational french financial CERT had the need for managing threat-intelligence related indicators. When responding to incidents, they wanted quick answers to DFIR-related questions like “where have I seen this kind of filesystem activity before?”, or “is any of this network traffic suspicious”. Yeti was created to fulfill that need.
Fast forward to 2024, open-source threat intelligence platforms (or TIPs) have now proliferated, and yet these questions are not always easy to answer. As environments are now more complex than ever (think cloud providers, kubernetes, terraform, etc.) and attackers get more creative, DFIR teams need to find a way to structure their operations to be able to keep up with the operational tempo. What’s the query that you used to query cloud logs? How do I query a system for that persistence mechanism that was explained in that blogpost? How do I structure investigations to make sure that my team on the other side of the world can pick up where I left and knows what to look for?
This talk will show how Yeti has changed to respond to the need for a “forensics intelligence” repository, integrating with various other OSS projects such as Timesketch, DFIQ, ForensicArtifacts, MISP to leverage collective forensic knowledge and supercharge forensic analysis. We’ll introduce newcomers to Yeti, explain our reasoning behind these new capabilities, take a tour of all these other open-source projects, and showcase some of the possible synergies.
Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.
A lecturer and researcher at ESIEA and an independent consultant in Threat Intelligence, he contributes to numerous open source projects such as MISP and Yeti. He is also the author of numerous articles, an international speaker and lecturer on malware analysis, digital forensics and Cyber Threat Intelligence at ESIEA, and co-author of the book "Cybersécurité et Malwares Détection, analyse et Threat Intelligence (4e édition)".