Home

Welcome!

I’m Koen . I live in Bruges (Belgium), a splendid medieval city also known as the Venice of the North.

I’m involved with computer security and I work as a freelancer in incident response, incident coordination, threat intelligence, vulnerability management and security best practices. Basically all tasks related to managing a CSIRT / CERT (Computer Emergency Response Team).

My main interests in computers are security, web applications (PHP, MySQL, Apache), system administration and free software.

This site hosts a blog and I have a photo collection at Flickr.

Latest posts

Use Mobile Verification Tool to check if your iPhone is affected by Pegasus spyware

The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.

Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.

Setup a Python virtual environmentRead more.

Identify malicious servers / Cobalt Strike servers with JARM

For a new assignment I wanted to use JARM to group servers with a similar configuration. Why JARM? Because it’s an easy way to quickly identify and group servers based on their configuration.

JARM is an active fingerprinting of TLS servers made available by Salesforce Engineering. It sends 10 TLS Client Hello packets to a server and captures specific attributes of the responses. These responses are then aggregated and hashed. A JARM fingerprint consists ofRead more.

Cobalt Strike Hunting – Key items to look for

Cobalt Strike (S0154) is a commercial penetration testing platform which is used by many red teams and, unfortunately, also by many criminal threat actors. In this post I summarise the findings from a SANS Digital Forensics and Incident Response keynote by Chad Tilbury : Cobalt Strike Threat Hunting. The YouTube video provides much more details but below you can find those findings that were relevant for me during an IR case.

This post includes referencesRead more.

Legal and cooperation frameworks between CSIRTs and law enforcement agencies

For a recent assignment, I had to summarise some of the legislation and cooperation frameworks that exist between CSIRTs and law enforcement agencies. This list is certainly not complete but already gives you an overview of what’s available. I first list the frameworks and then provide an overview of some of the existing cooperation mechanisms.

2001 – International

This convention, also known as the Budapest Convention is the first international treaty to addressRead more.

MISP and Threat Intelligence

I shared a presentation with a high-level overview of Threat Intelligence and MISP on the MISP Presentation Github repository.

Have a look at MISP/MISP-presentations 2021. The deck also includes one slide for using MISP in an industrial / ICS environment. Both PPTX and PDF versions are shared.

Postfix with client authentication

For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.

The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms canRead more.

Health Care Ransomware Strains Have Hospitals in the Crosshairs

I published an article on the IBM Security Intelligence blog : Health Care Ransomware Strains Have Hospitals in the Crosshairs. This article covers ways on how hospitals and other facilities can against health care ransomware attacks. Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements.

Read more Health Care Ransomware Strains Have Hospitals in the Crosshairs

Debugging MISP event publish workflow. And a faulty application gateway

For a recent MISP installation I had to debug the reason why certain events were not pushed to a remote server. First a bit of context

Both servers run the same version of MISP (a fairly recent version); Events are pushed from server A to server B. The synchronisation user used on server A existed on server B and had sufficient permissions; The server synchronisation was configured to push events if they were considered completeRead more.