I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.
The core … Read more.
I sometimes contribute to open source projects on Github. The workflow then often consist of creating a fork, adding my own code and then submitting pull requests.p
Unfortunately sometimes when you do this the upstream (meaning, the ‘original’ repository) has changed so much that it’s not possible to easily submit (or include) your changes. You then need to sync your fork with the upstream repository.
For what concerns the repositories related to MISP, these are … Read more.
MISP sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for users to tell when they see a given attribute, giving it more credibility. As such, the sighting system in MISP allows you to get feedback from your community on the quality of the data (the indicators).
There is not immediately an option within MISP to sync sightings between instances.You can sync … Read more.
End 2016 I contributed a module to extend MISP, the Open Source Threat Intelligence and Sharing Platform, with malware analysis results from VMRay : Submit malware samples to VMRay via MISP. VMRay provides an agentless, hypervisor-based dynamic analysis approach to malware analysis. One of it great features is the API, allowing you to integrate it with other tools.
One of the drawbacks of the module was that it required a two step approach : first … Read more.
DNS logging and monitoring is important! Monitoring DNS logs allows you to analyze and detect C&C traffic and have access to crucial information to reduce the dwell time and detect breaches. Combined with Passive DNS it’s a very valuable data source to be used during incident response.
But DNS logging comes at a price. Every log operation requires the system to write out an entry to disk (besides also properly formatting the log string). This … Read more.
In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.
A colleague pointed out that you can also use Burp suite for this last step.
Similar as with the previous approach, first … Read more.
I wrote a follow-up on using Burp for both the analysis and attack phase : Hunt for devices with default passwords (with Burp).
Using a strong and unique password for authentication is a key element in security. Unfortunately there are still a lot of devices installed with a default password. This post describes how you can find the web interface of these devices.
Before we start, it’s to important to list the three different web … Read more.
I published an article on How to Use Passive DNS to Inform Your Incident Response on the Security Intelligence blog.
This article gives you an insight on the different logging options for DNS traffic and how the historical records in passive DNS can help you during incident response. I included references to generating passive DNS data based on your traffic and which options you have for consuming it from a client perspective.
Getting Active Directory security right can be a challenging task. Individual groups of computers or user privileges will most likely be properly configured but there are always some trade-offs that have to be made. Attackers will try to find an attack path by abusing the weaknesses that are caused by these trade-offs. Jumping from one host to another, compromising user accounts and abusing active sessions might get them to their final objectives. Whether this is … Read more.
The Drupal team released a security advisory for all Drupal sites recommending all these sites to upgrade to the latest Drupal version.
The discovered vulnerability could lead to remote code execution in Drupal 7.x and 8.x.
I have a mindmap on this vulnerability
Further information from Drupal can be found at
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 The FAQ on SA-CORE-2018-002
According to bojanz this vulnerability … Read more.