Papers & Publications

These are papers I’ve written for various purposes from my graduate studies to peer-reviewed academic journals.  Some of it falls into the category of “older random things I’ve done in the pursuit of my career.”  Except the first one, that one was kinda important and relevant.  As you go down the page, the relevance of the materials to CTI decreases.

I should say right up front that the most significant work I feel I’ve done was as one of the two original authors of SANS’s FOR578: Cyber Threat Intel Analysis course with my friend & colleague Robert M. Lee.

Peer-reviewed Academic Publications

  • Hutchins, Cloppert, Amin (2011).  Intelligence-driven Computer Network Defense Informed by Adversary Campaigns and Intrusion Kill Chains.  6th International Conference on Information Warfare and Security.
  • (May 2008) Ex-Tip: An Extensible Timeline Analysis Framework in Perl.  This was my GCFA Gold paper that demonstrated a proof-of-concept framework for merging logs of disparate types into a single timeline.  At the time, “digital forensics,” “network analysis,” etc were all treated as separate disciplines – stovepiped, rather than merged.  In reality, to conduct incident response and threat intelligence analysis, one must be able to compare that which happens on the network to activity of a computer system.  It seems obvious today, but in our field in 2008, it was not.  This made the case for many more mature and usable tools that came after it (some as GCFA Gold papers themselves!).

InfoSec & CTI Presentations

  • (2016) Levels of Threat Intelligence.  This is the presentation I used to kick off the SANS CTI Summit in February of 2016.  It discusses what tactical, operational, and strategic intelligence is, how these fit together, where some of our models fit in these levels of abstraction, and a little bit about why they matter.
  • (2015) Intel approaches to FP reduction. This presentation at the 2015 SANS SOC Summit discusses the Detection Maturity Model (DMM) I developed for and deployed with success at LM-CIRT (as well as a number of Lockheed Martin clients), including how threat intelligence can inform its implementation (and how to selectively de-task indicators and detections).
  • (2012) Emergent Ideas in Cyber Threat Intelligence.  This was my presentation at the 2012 DoD Cybercrime Conference in Atlanta, GA.  It discusses indicator volatility analysis as a means to automated correlation of intrusions, as well as a number of CTI & CND related metrics and visualizations that I still use today.  Years later, Lenny Zeltser would create an Incident Response Report template modeled off of this, and integrating a number of newer concepts we worked into the FOR578 course.
  • (2011) Distinguishing Incident Response from Computer Network Defense.  This was my keynote at the 2011 SANS DFIR summit in Austin, TX.  It outlines the Kill Chain, Indicator Lifecycle, and a number of other concepts from our 2011 paper, in addition to providing a few examples of how threat intelligence transforms things like incident reports and metrics (some similar, some distinct from my 2012 DoD Cybercrime presentation).
  • (2010) Intelligence-driven Response for combating the Advanced Persistent Threat.  Presented at the SANS Forensics & IR Summit in July of 2010, this was the first public discourse on the Kill Chain and other ideas we would publish the following year.  It’s pretty polished and paired well with my panel presentation of APT techniques (at the time).  Originally it was a dual-deck presentation with examples, but I can’t seem to find the example deck anywhere.
  • Older stuff…

Various InfoSec Papers

Other Research

  • (Dec, 2007) Scalable CLA Strategies in SNAFUOne of my favorite Intellivision games growing up was called Snafu (which I only much later learned was a military term with an expletive).  It mimicked the light racers from the 1980’s cult movie Tron with which I was naturally obsessed growing up.  So it figures in grad school I wrote a simulator and did a study on competing collective learning automata (AKA “statistical learning” or in 2016 parlance, I guess just “ML”).
  • (Dec, 2007) Alternate Decision Policies in Nim.  If Machine Learning (ML) studies had a kindergarten, this is it.  A very, very basic application of some rudimentary ML principles and analysis on decision policies for a very, very basic two-player game.  Yes, this was for an ML class.  If you haven’t conducted a legitimate scientific study in the field of ML, this might be informative for you.  Otherwise, it’s a bit like a paper validating Ohm’s Law (if you’re wondering, I probably have that on a Zipdisk somewhere from my undergraduate days… #wishiwaskidding).