I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’t … Read more.
The Krebs Attack: Sign Of A Game Changer
I published an article on The Krebs Attack: Sign Of A Game Changer on the Ipswitch blog.
This article lists the new wave of large scale DDoS attacks against KrebsOnSecurity and OVH and how the release of the Mirai botnet source code can leverage new attacks. I describe how this influences the risks you have to take into account when protecting your infrastructure.
Mail image trap
For a recent engagement I had to check if an e-mail was opened (or viewed) by a user. The idea was to get a notification if an e-mail was read, without having access to the e-mail infrastructure.
There are different ways and tools to do this. The available time was limited and because the target environment has HTML e-mail set as default I choose a very straightforward approach : “include a 1 pixel image with … Read more.
Proxy server logs for incident response
When you do incident response having access to detailed logs is crucial. One of those treasure troves are proxy server logs.
Proxy server logs contain the requests made by users and applications on your network. This does not only include the most obvious part : web site request by users but also application or service requests made to the internet (for example application updates).
Ideally you have a transparent proxy, meaning that all outgoing requests … Read more.
Data Breaches and the Importance of Account Protection and Incident Response
I published an article about Data Breaches and the Importance of Account Protection and Incident Response on Security Intelligence.
Understanding Network Intrusions With The Cyber Kill Chain
I published an article on Understanding Network Intrusions With The Cyber Kill Chain on the Ipswitch blog.
The cyber kill chain is nothing new, in the article I give a very high-level overview of what the chain is and what defensive measures you can take against attacks that follow the cyber kill chain.
Malware scanning of web directories with OWASP WebMalwareScanner
One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).
One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked in … Read more.
Using Bro for building Passive DNS data
Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.
If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with information … Read more.
Use Certificate Transparency for OSINT and passive reconnaissance
SANS ISC recently posted an article on The Dark Side of Certificate Transparency.
Certificate transparency means that participating certificate authorities will publish all certificates that they issue in a log. This information is public, meaning that you can search it at will.
The article already touches one of the side effects of having this information publicly available. By publishing the information organizations can disclose hostnames they’d rather not be known on the internet.
There are … Read more.
Understanding the SPF and DKIM Spam Filtering Mechanisms
I published an article on the SPF and DKIM spam filtering mechanisms on IBM Security Intelligence : Understanding the SPF and DKIM Spam Filtering Mechanisms.
The article covers the basic details of these mechanisms but also explains some of the possible pitfalls for filtering spam with SPF and DKIM.
