Threat Intelligence Gathering, Malware
Collection and Incident Response Proposal
“Discover, Investigate and Report”
United States Military Academy & University of Detroit Mercy
Independent Study Class for Fall 2006
Director, Information Technology and Operations Center, Lieutenant Colonel,
Ronald C. Dodge JR., Ph.D.
Purpose of the project:
The purpose of this project is to establish a unique and complete process
for threat intelligence gathering malware collection and incident
response. This project will address how members of the honeynet alliance
can contribute to the process of gathering threat intelligence and
Members of the honeynet alliance can participate and contribute
malware collected with the help of nepenthes or any suspicious scripts
being seeded in the honeynet they are monitoring. Access will be
granted to all the collected malware and will be waiting for special
process escalation to determine the uniqueness of the malware and if so,
the appropriate IT security incident response government agencies and
other organizations will be notified.
Honeynet Threat Intelligence Center (HoneyTIC):
The Honeynet Threat Intelligence Center (HoneyTIC) will be introduced to
manage the threat intelligence gathering malware collection and the
incident response effectively.
This center will be responsible for gathering threat intelligence such as
new vulnerability, exploited or a Malware in the wild spreading through a
newly discovered vulnerability.
HoneyTIC will be responsible for analyzing, providing accurate
prioritization of the threat being looked at and prioritizing the importance
of the malware being captured and analyzed based on the threat
intelligence findings. To make this process easy, it will be divided into
1. Discovering Phase
2. Investigating phase
3. Reporting Phase
To make the discovering phase much easier, it will...