Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

Latest posts

MISP web scraper

I published an article on the MISP project website on the MISP web scraper.

There are a lot of websites that regularly publish reports on new threats, campaigns or actors with useful indicators, references and context information. Unfortunately only a few publish information in an easily accessible and structured format, such as a MISP-feed. As a result, we often find ourself manually scraping these sites, and then copy-pasting this information in new MISP events. TheseRead more.

Analysing Amazon AWS security groups and access control lists

Analysing firewall rules in AWS can be complex. There are Security Groups (SG) as well as Access Control Lists (ACL). Security groups are applied on instances and are the first layer of defense, whereas access control lists are applied on network components (subnets) and are a second layer of defense. A major difference is that SGs are stateful, whereas ACLs are stateless. From a filtering perspective there is also a difference. In security groups allRead more.

Cyberweapons Arms Race

I recently finished the book “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth. The book covers the story of the cyberweapons market and how government agencies fuelled this economy, eventually making the Internet a less safer place for us all.

I added some notes of items of interest in a mindmap that are maybe of use for others. The map is not complete at all, feel freeRead more.

MISP sharing groups demonstration video

Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).

For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.

Sharing groups certainly provide an answer, as long asRead more.

MISP and Microsoft Sentinel

A short post with things to consider when integrating MISP threat intelligence with Microsoft Sentinel. There are two documentation resources that describe the integration in detail and should get you started in no-time:

External Connectors for MISP Integrating open source threat feeds with MISP and Sentinel

This error is caused by invalid client secret or missing client ID. One of the steps in the documentation involves creating a new secret. You then have to addRead more.

A simple way to deploy MISP servers with Packer and Terraform

For a future project I was looking into ways of deploying (and deleting) instances of MISP on a regular basis. Instead of manually installing MISP, I wanted the deployment and the configuration automated and based on simple configuration files. This is called “infrastructure as code”, typically addressed by CI/CD (Continuous Integration, Continuous Development). To throw in other popular terminology “DevOps” could support me in provisioning (and deploying) the infrastructure that is going to be usedRead more.

Using VMRay Analyzer for Initial Triage and Incident Response

I published an article on the blog of VMRay: Using VMRay Analyzer for Initial Triage and Incident Response.

In this article I cover a practical case study how VMRay Analyzer helped with getting an accurate and noise-free analysis for initial triage and obtaining the relevant indicators of compromise for faster incident response.

Key recommendations and findings from the HSE Conti ransomware attack

The healthcare sector has been in the crosshairs of ransomware gangs.

One of the victims of last year was Ireland’s Health Services Executive. A report analysing the Conti ransomware attack was published as a follow-up to the incident. This Independent Post Incident Review provides a long list of recommendations that are not only valuable for the HSE but read as a “must-do” list for other organisations to be better prepared for such ransomware incidents.

IRead more.