Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Creating a MISP Galaxy, 101

I posted an article on the website of the MISP project on how to start with creating your own MISP galaxy / cluster.

Install MITRE ATT&CK Navigator in an isolated environment

The ATT&CK Navigator is a great tool to browse the ATT&CK matrices. You can run the tool directly from Github, but you can also install it locally. This can especially be useful if you want to browse the ATT&CK matrices when you’re working in an isolated environment.

Navigator can be used via Docker, but that instance does not contain the matrices. Next is a short overview of commands to get the Navigator to work locally,Read more.

Create and delete training alerts in TheHive

TheHive is a scalable, open source and free Security Incident Response Platform, which tightly integrates with MISP. It supports a feature that allows you to convert one or more alerts, for example alerts sent by security devices, to a security case (an investigation). The creation, and handling, of these alerts can be done via an API.

Creating, and then afterwards deleting, these alerts to showcase the features of TheHive during a training session can beRead more.

RDP Honeypots

In a recent post the SANS ISC warned of an increase in RDP Scanning. Although the initially reported number was adjusted downward later, there is still an increase in exposed RDP servers. It would be interesting to track the volume of RDP scans, and the credentials used in the scan. Let’s run an RDP honeypot.

One of these RDP honeypots is written by Sylvain Peyrefitte, RDPY. RDPY is more than just a RDP honeypot. ItRead more.

Report sightings from Kibana to MISP

A problem we all face when using threat intelligence data is getting rid of false positives in our data feeds. On the other hand, reporting of true positives is equally important as it allows to increase the level of trust in an indicator.

I published a post on the NVISO blog, “Report sightings from Kibana to MISP“, which provides a solution for this problem.

COVID-19 Blocklists

A lot of good initiatives popped up recently to combat malicious activity related to the Corona pandemic.

A MISP instance for tracking COVID-19 activity; A list of domains which provides legitimate COVID-19 services; The Slack channel of COVID19 Cyber Threat Coalition; The COVID-19 CTI League; Public MISP feed by DCSO; And a feed by 1984.sh; Threat reports by RiskIQ; A COVID-19 threat list by domaintools; The COVID-19 domain classifier by SANS; A MISP warning listRead more.

Integrating MISP and Cytomic Orion

Cytomic Orion is a solution for Threat Hunting & Incident Response, that speeds up the process of identification, investigation, containment, and remediation of cyber threats & insiders using Living-off-the-Land techniques to evade existing controls (Reduce the MTTD & MTTR). The Cytomic Orion API allows you to integrate it with other tools, one of those tools is MISP.

The integration with Cytomic Orion allows you to achieve two main goals :

Query the Cytomic Orion API,Read more.

Sysmon not logging all process creation events (Calculator and other sandboxed apps)

System Monitor or Sysmon is a Windows system service and device driver that provides event data on process creation, network connections and file alterations. It is one of the most powerful tools available for security monitoring and gives detailed insight on what is happening on an endpoint.

Sysmon can be started from the command line, with a specific set of modules and processes to monitor but will in most cases be installed as a serviceRead more.