I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.
Upgrading Apache, unmet dependencies
I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that
Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use native … Read more.
Monitor your public assets via Shodan
Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.
I wrote a script that takes one parameter (ideally a string) and
Fetches the information that is available at Shodan for … Read more.
Submit malware samples to VMRay via MISP
I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’t … Read more.
Malware scanning of web directories with OWASP WebMalwareScanner
One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).
One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked in … Read more.
Using Bro for building Passive DNS data
Passive DNS describes an historical database of DNS resolutions. I’ve written a previous post on Using Passive DNS for Incident Response, more specifically combining it with Moloch.
If you run your own corporate -internal- nameservers it makes sense to monitor what domains have been queried and what results were returned in the past. You can use the collection of internal queries for future incident response. You can use this collected information to cross-check with information … Read more.
Using the Digital First Aid Kit for Incident Response
Dealing with security incidents is always a collaborative process, involving both your constituency and external players. There are a number of tools that help you with detecting (and preventing) incidents. One of those tools is for example the MISP – Malware Information Sharing Platform & Threat Sharing
But once you have an incident … how you deal with it? Everyone has (or should have) written their own incident response procedures but did you know that … Read more.
Doing open source intelligence with SpiderFoot (part 2)
I did an earlier post on gathering open source intelligence with SpiderFoot. This post is a small update to incorporate the new version of Spiderfoot that was released recently.
A new version of Spiderfoot was recently released, including some extra modules. In my earlier post I described how I adjusted and added some modules. The new release of Spiderfoot contains part of my changes to the XForce module.
My initial change to Spiderfoot included a … Read more.
HTTP 304 and Apache sinkhole
This is a short post, put here as a “reminder to self” on browser caching.
A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.
When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).
The HTTP 304 code basically … Read more.
Proper Script Management: A Practical Guide
I had a guest post published on Proper Script Management: A Practical Guide.
The post lists some best practices when developing your scripts and how to measure the performance of your scripts.
