You are running a MISP instance and you want to visualize the MISP events in real-time?
MISP-Dashboard can do that! An example :
Vimeo video :
In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.
MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.
The MISP ZeroMQ plugin … Read more.
I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.
I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that
Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use native … Read more.
Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.
I wrote a script that takes one parameter (ideally a string) and
Fetches the information that is available at Shodan for … Read more.
I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’t … Read more.
One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).
One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked in … Read more.
Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.
If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with information … Read more.
Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing
But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know that … Read more.
I did an earlier post on gathering open source intelligence with SpiderFoot. This post is a small update to incorporate the new version of Spiderfoot that was released recently.
A new version of Spiderfoot was recently released, including some extra modules. In my earlier post I described how I adjusted and added some modules. The new release of Spiderfoot contains part of my changes to the XForce module.
My initial change to Spiderfoot included a … Read more.
This is a short post, put here as a “reminder to self” on browser caching.
A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.
When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).
The HTTP 304 code basically … Read more.