Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

Latest posts

MISP and Threat Intelligence

I shared a presentation with a high-level overview of Threat Intelligence and MISP on the MISP Presentation Github repository.

Have a look at MISP/MISP-presentations 2021. The deck also includes one slide for using MISP in an industrial / ICS environment. Both PPTX and PDF versions are shared.

Postfix with client authentication

For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.

The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms canRead more.

Health Care Ransomware Strains Have Hospitals in the Crosshairs

I published an article on the IBM Security Intelligence blog : Health Care Ransomware Strains Have Hospitals in the Crosshairs. This article covers ways on how hospitals and other facilities can against health care ransomware attacks. Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements.

Read more Health Care Ransomware Strains Have Hospitals in the Crosshairs

Debugging MISP event publish workflow. And a faulty application gateway

For a recent MISP installation I had to debug the reason why certain events were not pushed to a remote server. First a bit of context

Both servers run the same version of MISP (a fairly recent version); Events are pushed from server A to server B. The synchronisation user used on server A existed on server B and had sufficient permissions; The server synchronisation was configured to push events if they were considered completeRead more.

Combating Sleeper Threats With MTTD

I published an article on the IBM Security Intelligence blog : Combating Sleeper Threats With MTTD. The article covers mean time to detect (MTTD) and mean time to response (MTTR).

I cover some of the options available to reduce the MTTD, what elements can be used to define baselines and how to improve security monitoring and maturity by improving the MTTD.

Interactive usage of MISP

The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.

First start Python from the virtual environment.

Then load the libraries and set some variables.

Now you can use the misp variable to interact with MISP.

For example toRead more.

Staying in control of MISP correlations

MISP correlations are a way to find relationships between attributes and indicators from malware or attacks campaigns. Correlation support analysts in detecting clusters of similar activities and pivot from one event to another.

When the volume of data in your MISP instance grows, the number of correlations can however explode and make your system less responsive. I cover some approaches that you can use to stay in control.

Correlation basically is a way forRead more.

Creating a MISP Object, 101

I published an article on the blog of the MISP project on how to create your own custom object: Creating a MISP Object, 101. This is a follow-up to a previous post on how to create your own MISP galaxy or MISP cluster (Creating a MISP Galaxy, 101).