Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

I published an article on the IBM SecurityIntelligence blog on Breaking Down the Incident Notification Requirements in the EU’s NIS Directive. The posts focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Mimikatz and hashcat in practice

Mimikatz allows users to view and save authentication credentials like Kerberos tickets and Windows credentials. It’s freely available via Github. This post is not a tutorial on how to use Mimikatz, it lists the commands that I recently had to use during an assignment in an old Windows 7 environment.

Dump hashes from registry; Use this dump offline to extract the hashes with Mimikatz; Crack the hashes with hashcat.

Because most unaltered versions of MimikatzRead more.

Improving DNS logging, dnstap on Ubuntu

DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.

But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). ThisRead more.

Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough

I published an article on the IBM SecurityIntelligence blog covering Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough. The post describes what a PSIRT is and where it is located within an organization.

Setting up a PSIRT involves developing a charter, assembling the team, having budget for long-term operations and have a good relationship with your stakeholders. I also cover the most usual source that you can use toRead more.

Why You Need a BGP Hijack Response Plan!

I published an article on the IBM SecurityIntelligence blog on Why You Need a BGP Hijack Response Plan. The posts starts with an introduction to BGP, how BPG routing exactly works and what a BGP hijack is.

The bulk of this type of incident response plan is done during the preparation and detection phase, for the containment, eradication and recovery you will most likely have to depend on your upstream ISPs.

Security Conferences in Europe – 2019

An overview of the security conferences in Europe in 2019 that I want to attend. The list is also available as a Google calendar. Feel free to suggest updates.

Google Calendar for Security Conferences Europe or as an ICS fileSecurity

56th TF-CSIRT meeting & FIRST Regional Symposium EuropeTallinn, Estonia2019 January 21 > 23 QuBitBelgrado, Serbia2019 Feb 7 BlueHatTel Aviv, Israel2019 Feb 6 > 7 Vienna Cyber Security Week Critical InfrastructureVienna, Austria2019 Mar 11 >Read more.

Phishing website – beobank

Another day, another phishing website. This time again a phishing site with directory listing enabled. This phishing websites targets customers of the Belgian bank Beobank. The link to the site gets delivered via e-mail, claiming to come from the webmaster with an important security message.

This is how the phishing website looks like:

Moving up a few directories allows us to download the ZIP file containing the phishing code.

There areRead more.

OPSEC 101 : Phishing website

While I was analyzing a standard phishing e-mail my attention was drawn to the fact that the phishing page loaded remote Coldfusion scripts. The phishing mail itself is pretty default. It claims to come from e-mail support telling you that your mailbox is full.

The included cfform component allows to build a form with CFML custom control tags providing more functionality than standard HTML form input elements.

The phishing site was locatedRead more.

Hunt for devices with default passwords (with Burp)

In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.

A colleague pointed out that you can also use Burp suite for this last step.

Similar as with the previous approach, firstRead more.

Hunt for devices with default passwords

I wrote a follow-up on using Burp for both the analysis and attack phase : Hunt for devices with default passwords (with Burp).

Using a strong and unique password for authentication is a key element in security. Unfortunately there are still a lot of devices installed with a default password. This post describes how you can find the web interface of these devices.

Before we start, it’s to important to list the three different webRead more.