Cyber Resilience Strategy Changes You Should Know in the EU’s Digital Decade

I published an article on the IBM Security Intelligence blog : Cyber Resilience Strategy Changes You Should Know in the EU’s Digital Decade. The article describes the new EU Cybersecurity Strategy and one the proposal for a revised Directive on Security of Network and Information Systems

The EU Commission attempts to improve cyber resilience with the NIS2 Directive and provides an overview of cyber resilience challenges for 5G and IoT. Other topics discussed includeRead more.

Cybersecurity Ethics: Establishing a Code for Your SOC

I published an article on the IBM Security Intelligence blog : Cybersecurity Ethics: Establishing a Code for Your SOC. The article describes the dilemmas you can face when working in a SOC or doing incident response work.

The articles describes Cybersecurity Ethics Guidance Frameworks, Best Practices and a Practical Approach for Cybersecurity Ethics, including a set of commandments to adhere. For example

Do not use a computer to harm other people. Protect society andRead more.

5G – 101

A short introduction on 5G. What is 5G, why do we need it and where will it be used?

5g 101 from Koen Van Impe

If you want to read about the security threats on 5G then these are a couple of interesting resources:

Updated ENISA 5G Threat Landscape Report to Enhance 5G Security ENISA threat landscape for 5G Networks Cybersecurity of 5G networks EU Toolbox of risk mitigating measures

Handle phishing e-mails with a phishing alert button and TheHive

Your users are the first line of defence against threats, especially for what concerns phishing. One of the ways to get more involvement is offering a simple and easy way to report suspicious messages, such as phishing e-mails. You can do this via a phishing alert button that allows users to notify the helpdesk of a suspicious message. The technology behind such a button is straightforward:

Forward the message; Remove the message from the inbox.Read more.

How to Support Defenders with the Permissible Actions Protocol

In a previous article I described how to defend with the courses of action matrix and indicator lifecycle management. The courses of action matrix describes passive and active actions that defenders can take with a varying type of impact on the attacker (or intrusion). The Permissible Actions Protocol or PAP achieves something similar, but with a focus on what defenders are allowed to do.

PAP is a protocol that describes how much that we acceptRead more.

From threat intelligence to client scanning

An antivirus solution is an indispensable component in your defence arsenal but it does not protect you against all threats. Complimentary to an antivirus is Loki, an open-source IOC scanner. Loki is a scanner that allows you to search for intrusion activity such as

Network connections to C2 servers or malicious domains; Presence of files related to APT activity; Process anomalies such as malicious implants or patches in memory ; Credential dump activities; Checks forRead more.

A walkthrough of Watcher

One of the nice things of working in infosec is that there is always a new tool available to make your work easier. It can also cause a lot of frustration, as there is yet another new tool that you need to master. A tool I recently discovered is Watcher, a platform for discovering new cybersecurity threats targeting your organisation. Some of its key features include

Detecting emerging trends via social networks and RSS feeds;Read more.

RDP Honeypots

In a recent post the SANS ISC warned of an increase in RDP Scanning. Although the initially reported number was adjusted downward later, there is still an increase in exposed RDP servers. It would be interesting to track the volume of RDP scans, and the credentials used in the scan. Let’s run an RDP honeypot.

One of these RDP honeypots is written by Sylvain Peyrefitte, RDPY. RDPY is more than just a RDP honeypot. ItRead more.

GDPR and Apache logs, remove last octet of an IP address

For a new project I had to identify the source network of visitors of an http site, served via Apache. I did not need their individual IP address. This is something you’ll encounter when dealing with logs in light of the GDPR and having to store only the minimum amount of personal data necessary.

In essence it meant I needed a way to store the log requests and remove the last octet of the IPRead more.

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.