Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

I also have a site with (outdated) Linux information.

Latest posts

Sysmon not logging all process creation events (Calculator and other sandboxed apps)

System Monitor or Sysmon is a Windows system service and device driver that provides event data on process creation, network connections and file alterations. It is one of the most powerful tools available for security monitoring and gives detailed insight on what is happening on an endpoint.

Sysmon can be started from the command line, with a specific set of modules and processes to monitor but will in most cases be installed as a serviceRead more.

Parse stored Windows Event logs with Security Onion

Security Onion is a free tool to monitor for suspicious activity in network events. I find it very easy to use, especially if you integrate the MISP threat data with the Bro -Zeek- intelligence framework. Besides investigating network events, you can also use it to analyze Windows Event logs, both from a live event stream and for analyzing stored Windows events.

Winlogbeat, part of Elastic, is the shipper that we will use to send theRead more.

Which Incident Response Investments Are You Prioritizing in 2020?

I published an article on the IBM SecurityIntelligence blog on to Which Incident Response Investments Are You Prioritizing in 2020?

The post describes that improving incident response plans should be the number one priority for future investment, but there are other pressing areas to consider as well. Invest in the Future of Digital Forensics, especially in light of further inclusion of cloud, BYOD and IoT related devices. Get Ready for Changes in Network Monitoring asRead more.

Iranian threat groups

In light of recent developments it would be a good idea to sketch a picture of the known Iranian threat groups. I used the information made available by MITRE ATT&CK.

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote accessRead more.

Use Sysmon DNS data for incident response

Recent versions of Sysmon support the logging of DNS queries. This is done via event ID 22 in Applications and Services Log > Microsoft > Windows > Sysmon Operational.

To enable DNS logging, you need to include the section DnsQuery in your Sysmon configuration file. For example via

Note that enabling DNS queries can be noisy. It’s best to apply filtering as proposed by the SwiftOnSecurity sysmon config file and, additionally, filter out the commonlyRead more.

Improve Your Detection Capabilities With Cyber Simulation Datasets

I published an article on the IBM SecurityIntelligence blog on how to Improve Your Detection Capabilities With Cyber Simulation Datasets

The post describes how you can develop a strategy for testing and improving your existing detection capabilities. It starts with the traditional testing strategies as paper tests and tabletop exercises. The bulk of the article covers cyber simulation datasets, including network based data sets, host based datasets and system and application logs. The final partRead more.

BelgoMISP Meeting 0x01 : Belgian MISP User Group Meeting

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?

There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.

Measure and Improve the Maturity of Your Incident Response Team

I published an article on the IBM SecurityIntelligence blog on how to Measure and Improve the Maturity of Your Incident Response Team

The post describes how you can create an incident response development plan and which proven frameworks exist to assist you with this. I then provide more details on the NIST and the Global CSIRT Maturity framework. The latter, which is based on SIM3 and the ENISA three-tier approach, is then covered in moreRead more.