Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Generating MISP data statistical reports

The MISP API includes a couple of features that you can use to report on the type of data stored in the database. For example the User statistics or Attribute statistics give a pretty good overview. Unfortunately, as of now it’s not possible to limit the output of these functions to a specific timeframe. For my use case I’d like to report on the MISP data statistics for the last month. The information that IRead more.

GDPR and Apache logs, remove last octet of an IP address

For a new project I had to identify the source network of visitors of an http site, served via Apache. I did not need their individual IP address. This is something you’ll encounter when dealing with logs in light of the GDPR and having to store only the minimum amount of personal data necessary.

In essence it meant I needed a way to store the log requests and remove the last octet of the IPRead more.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.

How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

I published an article on the IBM SecurityIntelligence blog on How to Patch BlueKeep and Get to Know Your Company’s Critical Assets

The post has a very brief introduction to Remote Desktop Protocol and what caused the BlueKeep vulnerability. I then cover how to protect against blueKeep, which measures you can take to be prepared for the regular patch Tuesday and which tools and techniques are available to keep track of your (vulnerable) assets.

Keeping a Git fork up-to-date

I sometimes contribute to open source projects on Github. The workflow then often consist of creating a fork, adding my own code and then submitting pull requests.p

Unfortunately sometimes when you do this the upstream (meaning, the ‘original’ repository) has changed so much that it’s not possible to easily submit (or include) your changes. You then need to sync your fork with the upstream repository.

For what concerns the repositories related to MISP, these areRead more.

Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

I published an article on the IBM SecurityIntelligence blog on Bind Certificates to Domain Names for Enhanced Security With DANE and DNSS

The post has a very brief introduction to HTTPS and the flaws in the certificate validation process. I then cover solutions to the problem by publishing certificates in DNS via DANE, DNS-based Authentication of Named Entities. DANE is a protocol that uses DNSSEC and that can enhance the security of your email (transport).

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.

Submit malware samples to VMRay via MISP – Automation

End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.

One of the drawbacks of the module was that it required a two step approach : firstRead more.