Incident Handling Automation with intelmq presented at BSidesVienna 2015

by Aaron Kaplan, Sebastian Wagner, Otmar Lendl,

Summary : Spam sending devices, botnet drones, scanners, c&c servers, compromised servers, DDoS infrastructures, phishing websites - the Internet and it's doubtful places and participants. Most of these are known: They are listed on blacklists or domain generation archives, detected by honeypots. National Computer Emergency Response Teams such as cert.at or the german BSI collect all kind of this open source data, enrich, deduplicate and group it, and finally distribute the incidents to the responsible system administrators, provider's abuse contacts and autonomous systems.
Together with other CERTs, CERT.at is developing an open source software to automate this process, while keeping the architecture simple, well scaling and reducing complexity: IntelMQ.
IntelMQ is a solution for CERTs for collecting and processing various security feeds, pastebins, tweets and log files using a message queueing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.
But IntelMQ is not only useful for national CERTs! You can use it as a general data flow / data processing tool for handling log files or blocklist infos and creating actions on it (such as blocking IP addresses on IPS systems).