I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.


Latest posts

Proxy server logs for incident response

When you do incident response having access to detailed logs is crucial. One of those treasure troves are proxy server logs.

Proxy server logs contain the requests made by users and applications on your network. This does not only include the most obvious part : web site request by users but also application or service requests made to the internet (for example application updates).

Ideally you have a transparent proxy, meaning that all outgoing requestsRead more.

Data Breaches and the Importance of Account Protection and Incident Response

I published an article about Data Breaches and the Importance of Account Protection and Incident Response on Security Intelligence.

Understanding Network Intrusions With The Cyber Kill Chain

I published an article on Understanding Network Intrusions With The Cyber Kill Chain on the Ipswitch blog.

The cyber kill chain is nothing new, in the article I give a very high-level overview of what the chain is and what defensive measures you can take against attacks that follow the cyber kill chain.

Malware scanning of web directories with OWASP WebMalwareScanner

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Using Bro for building Passive DNS data

Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.

If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with informationRead more.