The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.
Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.
Setup a Python virtual environment … Read more.
For a new assignment I wanted to use JARM to group servers with a similar configuration. Why JARM? Because it’s an easy way to quickly identify and group servers based on their configuration.
JARM is an active fingerprinting of TLS servers made available by Salesforce Engineering. It sends 10 TLS Client Hello packets to a server and captures specific attributes of the responses. These responses are then aggregated and hashed. A JARM fingerprint consists of … Read more.
Cobalt Strike (S0154) is a commercial penetration testing platform which is used by many red teams and, unfortunately, also by many criminal threat actors. In this post I summarise the findings from a SANS Digital Forensics and Incident Response keynote by Chad Tilbury : Cobalt Strike Threat Hunting. The YouTube video provides much more details but below you can find those findings that were relevant for me during an IR case.
This post includes references … Read more.
For a recent assignment, I had to summarise some of the legislation and cooperation frameworks that exist between CSIRTs and law enforcement agencies. This list is certainly not complete but already gives you an overview of what’s available. I first list the frameworks and then provide an overview of some of the existing cooperation mechanisms.
2001 – International
This convention, also known as the Budapest Convention is the first international treaty to address … Read more.
I shared a presentation with a high-level overview of Threat Intelligence and MISP on the MISP Presentation Github repository.
Have a look at MISP/MISP-presentations 2021. The deck also includes one slide for using MISP in an industrial / ICS environment. Both PPTX and PDF versions are shared.
For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.
The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms can … Read more.
I published an article on the IBM Security Intelligence blog : Health Care Ransomware Strains Have Hospitals in the Crosshairs. This article covers ways on how hospitals and other facilities can against health care ransomware attacks. Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements.
Read more Health Care Ransomware Strains Have Hospitals in the Crosshairs
For a recent MISP installation I had to debug the reason why certain events were not pushed to a remote server. First a bit of context
Both servers run the same version of MISP (a fairly recent version); Events are pushed from server A to server B. The synchronisation user used on server A existed on server B and had sufficient permissions; The server synchronisation was configured to push events if they were considered complete … Read more.
I published an article on the IBM Security Intelligence blog : Combating Sleeper Threats With MTTD. The article covers mean time to detect (MTTD) and mean time to response (MTTR).
I cover some of the options available to reduce the MTTD, what elements can be used to define baselines and how to improve security monitoring and maturity by improving the MTTD.
The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.
First start Python from the virtual environment.
Then load the libraries and set some variables.
Now you can use the misp variable to interact with MISP.
For example to … Read more.