Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Submit malware samples to VMRay via MISP – Automation

End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.

One of the drawbacks of the module was that it required a two step approach : firstRead more.

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

I published an article on the IBM SecurityIntelligence blog on Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

The post has a very brief introduction to HTTPS and TLS/SS, takes a look at the ‘black market’ for TLS/SSL certificates and concludes with some protection measures that you can take.

Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security

I published an article on the IBM SecurityIntelligence blog on Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security. The post gives some insights on DNS Extension mechanisms, Backward Compatibility and DNS Flag Day and which steps you need to take to be (and remain) ready for DNS Flag Day. I also includes an introduction on other DNS features as DNS cookies and DNSSEC.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

I published an article on the IBM SecurityIntelligence blog on Breaking Down the Incident Notification Requirements in the EU’s NIS Directive. The posts focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Mimikatz and hashcat in practice

Mimikatz allows users to view and save authentication credentials like Kerberos tickets and Windows credentials. It’s freely available via Github. This post is not a tutorial on how to use Mimikatz, it lists the commands that I recently had to use during an assignment in an old Windows 7 environment.

Dump hashes from registry; Use this dump offline to extract the hashes with Mimikatz; Crack the hashes with hashcat.

Because most unaltered versions of MimikatzRead more.

Improving DNS logging, dnstap on Ubuntu

DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.

But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). ThisRead more.

Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough

I published an article on the IBM SecurityIntelligence blog covering Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough. The post describes what a PSIRT is and where it is located within an organization.

Setting up a PSIRT involves developing a charter, assembling the team, having budget for long-term operations and have a good relationship with your stakeholders. I also cover the most usual source that you can use toRead more.

Why You Need a BGP Hijack Response Plan!

I published an article on the IBM SecurityIntelligence blog on Why You Need a BGP Hijack Response Plan. The posts starts with an introduction to BGP, how BPG routing exactly works and what a BGP hijack is.

The bulk of this type of incident response plan is done during the preparation and detection phase, for the containment, eradication and recovery you will most likely have to depend on your upstream ISPs.