In most MISP instances the database (MySQL or MariaDB) is on a local network, either directly on the machine or on a local DB-cluster. As a lot of organisations are moving towards a “full cloud” environment, this also means that they want to start making use of the database features offered by their cloud providers.
Microsoft offers Azure Database for MySQL and in this post I list the (limited) steps required to migrate the MISP … Read more.
Zeek (formerly Bro) is a free and open-source software network analysis framework. It gives insights on DNS queries, HTTP and TLS information and details on transmitted files. I find Zeek one of the best network monitoring tools available to provide detailed visibility on network traffic.
Zeek has a built-in intelligence framework. This framework allows you to add information received via MISP directly into the network visibility capabilities of Zeek. This includes
Visits to URLs or … Read more.
I contributed to the ENISA Threat Landscape 2022. The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.
Get a copy of the ENISA Threat Landscape 2022.
The first edition of the Cyber Threat Intelligence Summit took place in Luxembourg in October 2022. I did two presentations:
One presentation on MISP web scraper, a tool to create MISP events and reports from scraped websites; and one presentation on building CTI Operational Procedures with Jupyter Notebooks and PyMISP.
The slides and recording are available on GitHub and Youtube.
Slides: https://github.com/cudeso/misp-tip-of-the-week/tree/main/CTIS-2022; Recording of CTI Operational Procedures with Jupyter Notebooks and PyMISP; Recording of MISP … Read more.
Chainsaw is a tool to rapidly search through large sets of Windows Event logs. In this post I briefly go through the steps that I take to collect, process and analyse logs from different Windows machines and then use them for analysing Windows Event logs. Obviously it’s always better to use centralised logging and apply your detection techniques centrally but unfortunately this isn’t always possible.
Although Chainsaw is available as a binary package … Read more.
I published an article on the MISP project website on the MISP web scraper.
There are a lot of websites that regularly publish reports on new threats, campaigns or actors with useful indicators, references and context information. Unfortunately only a few publish information in an easily accessible and structured format, such as a MISP-feed. As a result, we often find ourself manually scraping these sites, and then copy-pasting this information in new MISP events. These … Read more.
Analysing firewall rules in AWS can be complex. There are Security Groups (SG) as well as Access Control Lists (ACL). Security groups are applied on instances and are the first layer of defense, whereas access control lists are applied on network components (subnets) and are a second layer of defense. A major difference is that SGs are stateful, whereas ACLs are stateless. From a filtering perspective there is also a difference. In security groups all … Read more.
I recently finished the book “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth. The book covers the story of the cyberweapons market and how government agencies fuelled this economy, eventually making the Internet a less safer place for us all.
I added some notes of items of interest in a mindmap that are maybe of use for others. The map is not complete at all, feel free … Read more.
Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).
For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.
Sharing groups certainly provide an answer, as long as … Read more.
A short post with things to consider when integrating MISP threat intelligence with Microsoft Sentinel. There are two documentation resources that describe the integration in detail and should get you started in no-time:
External Connectors for MISP Integrating open source threat feeds with MISP and Sentinel
This error is caused by invalid client secret or missing client ID. One of the steps in the documentation involves creating a new secret. You then have to add … Read more.
Graphs made with cudeso posts stats
By continuing to use the site, you agree to the use of cookies. more information
An HTTP cookie, is a small piece of text sent from a website and stored in your web browser. Cookies are a reliable mechanism for websites to remember your preferences and improve your browsing experience.
If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.