MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.

What I learned by attending FOR610: Reverse-Engineering Malware / part 1

I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through

Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.

Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incidentRead more.

Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise

I published an article on IBM Security Intelligence on Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise.

The articles covers how you can consume indicators of compromise (IOC) received via manual sharing. Although automatic sharing is preferred not all organisations have the resources to setup automatic sharing. Manual sharing is then a good fallback compared to not sharing at all.

The steps include source and content verification, context verification, sharing properties,Read more.

Dragonfly v2 : Mindmap on energy sector targeted by sophisticated attack group

Mid 2014 Symantec released a report on a threat actor Dragonfly targeting energy companies. Early September 2017 Symantec released an updated report on Dragonfly v2 where they describe that the threat actor shifted their attention from merely observing the environment to having remote access to the environment of energy providers.

This shift could indicate that the threat actor has a changed objective, from monitoring to actually intervening and potentially conducting sabotage.

I created two mindmapsRead more.

Monitor your public assets via Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

Fetches the information that is available at Shodan forRead more.

NotPetya / ExPetr information

I updated my page on WannaCry with information on the latest NotPetya ransomware attack : https://www.wannacry.be.

Mindmap for CRASHOVERRIDE

Both Dragos and ESET released two reports on the analysis of malware attacking power grids.

According to Dragos the adversary group labeled as ELECTRUM is responsible for the cyber attack on the Ukraine electric grid in 2016.

I created a mindmap based on the info in the Dragos document. It’s available on https://github.com/cudeso/tools/tree/master/CRASHOVERRIDE

https://www.us-cert.gov/ncas/alerts/TA17-163A https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf https://dragos.com/blog/crashoverride/

WannaCry / Wcry / WannaCrypt help / advice

I compiled a list of -hopefully- useful tips and help for dealing with the WannaCry ransomware. I try to keep the page updated as soon as new information is available.

See https://www.wannacry.be/. Feedback is welcome!

What could have limited the impact of the WannaCry / Wcry / WannaCrypt ransomware?

A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers aroundRead more.

What is Shodan telling us about ICS in Belgium?

I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).

In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what isRead more.