From threat intelligence to client scanning

An antivirus solution is an indispensable component in your defence arsenal but it does not protect you against all threats. Complimentary to an antivirus is Loki, an open-source IOC scanner. Loki is a scanner that allows you to search for intrusion activity such as

Network connections to C2 servers or malicious domains; Presence of files related to APT activity; Process anomalies such as malicious implants or patches in memory ; Credential dump activities; Checks forRead more.

A walkthrough of Watcher

One of the nice things of working in infosec is that there is always a new tool available to make your work easier. It can also cause a lot of frustration, as there is yet another new tool that you need to master. A tool I recently discovered is Watcher, a platform for discovering new cybersecurity threats targeting your organisation. Some of its key features include

Detecting emerging trends via social networks and RSS feeds;Read more.

RDP Honeypots

In a recent post the SANS ISC warned of an increase in RDP Scanning. Although the initially reported number was adjusted downward later, there is still an increase in exposed RDP servers. It would be interesting to track the volume of RDP scans, and the credentials used in the scan. Let’s run an RDP honeypot.

One of these RDP honeypots is written by Sylvain Peyrefitte, RDPY. RDPY is more than just a RDP honeypot. ItRead more.

GDPR and Apache logs, remove last octet of an IP address

For a new project I had to identify the source network of visitors of an http site, served via Apache. I did not need their individual IP address. This is something you’ll encounter when dealing with logs in light of the GDPR and having to store only the minimum amount of personal data necessary.

In essence it meant I needed a way to store the log requests and remove the last octet of the IPRead more.

Sync sightings between MISP instances

MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).

There is not immediately an option within MISP to sync sightings between instances.You can syncRead more.

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

I published an article on the IBM SecurityIntelligence blog on Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

The post has a very brief introduction to HTTPS and TLS/SS, takes a look at the ‘black market’ for TLS/SSL certificates and concludes with some protection measures that you can take.

Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security

I published an article on the IBM SecurityIntelligence blog on Missed DNS Flag Day? It’s Not Too Late to Upgrade Your Domain Security. The post gives some insights on DNS Extension mechanisms, Backward Compatibility and DNS Flag Day and which steps you need to take to be (and remain) ready for DNS Flag Day. I also includes an introduction on other DNS features as DNS cookies and DNSSEC.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

I published an article on the IBM SecurityIntelligence blog on Breaking Down the Incident Notification Requirements in the EU’s NIS Directive. The posts focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Improving DNS logging, dnstap on Ubuntu

DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.

But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). ThisRead more.

Why You Need a BGP Hijack Response Plan!

I published an article on the IBM SecurityIntelligence blog on Why You Need a BGP Hijack Response Plan. The posts starts with an introduction to BGP, how BPG routing exactly works and what a BGP hijack is.

The bulk of this type of incident response plan is done during the preparation and detection phase, for the containment, eradication and recovery you will most likely have to depend on your upstream ISPs.